OS: Ubuntu 8.04 64-bit (fully updated)
CPU: 2.2ghz Athlon64x2
RAM: 2.0gb
Kernel: 2.6.24-28-generic
Using arno-iptables-firewall + additional rules I've messed around with trying to fix this....
For 2 days now, my server has been hit hard by something. I will provide any logs/details as needed and as much relevant info right now, as I can think of.
The server went down approx. 36 hours ago. Pings range from hundreds to thousands, up to full timeout on HLSW. The server no longer registers on steam server list.
I use port 27019 and if I configure it to run on any other port, the effect clears up. If i simply block ALL IPs via iptables, but my own, the problem clears up.
Is anybody else having this problem? It sure seems like a directed/targetted attack. I have tried every possible solution I can find using iptables, and nothing even changes it other than moving the server to a different port.
The server in question is :: Abusement Park :: Roleplay: http://apcommunity.org - 70.38.37.71:27019
I've tried disabling all addons, however, normally we run DAF (dos attack fix), rcon_block and a couple other basic/typical exploit fixing plugins.
'netstat -tan' shows no IPs connected to 27019 - only to port 80 which is fine/normal. I see nothing out of the ordinary there.
Syslog shows many many IPs attempting to connect to a variety of 270** ports, but I see no rational way of trying to block them all.
DAF logged a huge botnet attack a few months ago, consisting of over 780 IPs that I have blocked all of them with a little script i cooked up that adds them one by one via iptables. That seemed to clear up the problem for about 4 hours before the (what i'm considering now to be an) attack resumed. And again today, it stopped for about 1-2 hours.
I'm totally at a loss. Again, I'll provide any further details I can, but I really don't want to have to move my server to another port, else loose gametracker ranks (unless I just don't know how to edit my server's details with them). Not to mention, if somebody is targeting me, it won't take them long to start attacking the new port......
Please help and thank you in advance!!
Here's some additional info:
# netstat -tan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:20000 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:60000 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN
tcp 0 0 70.38.37.71:27019 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:12525 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 70.38.37.71:80 64.228.68.73:49614 SYN_RECV
tcp 0 0 127.0.0.1:9876 0.0.0.0:* LISTEN
tcp 0 0 70.38.43.158:53 0.0.0.0:* LISTEN
tcp 0 0 70.38.43.157:53 0.0.0.0:* LISTEN
tcp 0 0 70.38.43.156:53 0.0.0.0:* LISTEN
tcp 0 0 70.38.43.155:53 0.0.0.0:* LISTEN
tcp 0 0 70.38.43.154:53 0.0.0.0:* LISTEN
tcp 0 0 70.38.43.153:53 0.0.0.0:* LISTEN
tcp 0 0 70.38.37.71:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 70.38.37.71:80 195.191.54.237:3884 TIME_WAIT
tcp 0 0 70.38.37.71:80 66.249.71.182:38100 TIME_WAIT
tcp 0 0 70.38.37.71:80 66.249.71.182:57687 ESTABLISHED
tcp 0 0 70.38.37.71:80 198.7.228.29:49151 TIME_WAIT
tcp 0 0 70.38.37.71:80 195.191.54.237:4118 TIME_WAIT
tcp 0 0 70.38.37.71:80 195.191.54.237:4410 TIME_WAIT
tcp 0 0 70.38.37.71:80 195.191.54.237:4617 TIME_WAIT
tcp 0 0 70.38.37.71:80 195.191.54.237:4336 TIME_WAIT
tcp 0 0 70.38.37.71:80 195.191.54.237:4389 TIME_WAIT
tcp 0 0 70.38.37.71:80 195.191.54.237:4364 TIME_WAIT
tcp 0 0 70.38.37.71:80 198.7.228.29:47896 TIME_WAIT
tcp 0 0 70.38.37.71:80 198.7.228.29:48876 TIME_WAIT
tcp6 0 0 :::48939 :::* LISTEN
tcp6 0 0 :::110 :::* LISTEN
tcp6 0 0 :::1935 :::* LISTEN
tcp6 0 0 :::9999 :::* LISTEN
tcp6 0 0 :::143 :::* LISTEN
tcp6 0 0 :::53 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::5080 :::* LISTEN
tcp6 0 0 :::8088 :::* LISTEN
tcp6 0 0 ::1:953 :::* LISTEN
tcp6 0 0 :::8443 :::* LISTEN
tcp6 0 0 70.38.37.71:48939 70.38.37.71:41800 ESTABLISHED
tcp6 0 0 70.38.37.71:41800 70.38.37.71:48939 ESTABLISHED
Latest page from /var/log/syslog:
Feb 14 19:35:01 cl-t133-040cl postfix/cleanup[29050]: 6E4B68B6490: message-id=<20110215003501.6E4B68B6490@cl-t133-040cl>
Feb 14 19:35:01 cl-t133-040cl postfix/qmgr[6112]: 6E4B68B6490: from=<root@cl-t133-040cl.local>, size=651, nrcpt=1 (queue active)
Feb 14 19:35:01 cl-t133-040cl postfix/local[1732]: 6E4B68B6490: to=<root@cl-t133-040cl.local>, orig_to=<root>, relay=local, delay=0.07, delays=0.06/0/0/0.01, dsn=2.0.0, status=sent (delivered to command: procmail -a "$EXTENSION")
Feb 14 19:35:01 cl-t133-040cl postfix/qmgr[6112]: 6E4B68B6490: removed
Feb 14 19:35:16 cl-t133-040cl kernel: [68985.385700] Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:05:74:94:35:00:08:00 SRC=209.59.171.92 DST=70.38.37.71 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=4304 DF PROTO=TCP SPT=1571 DPT=8443 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 14 19:35:19 cl-t133-040cl kernel: [68988.357392] Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:05:74:94:35:00:08:00 SRC=209.59.171.92 DST=70.38.37.71 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=6215 DF PROTO=TCP SPT=1571 DPT=8443 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 14 19:35:29 cl-t133-040cl kernel: [68998.012432] Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:05:74:94:35:00:08:00 SRC=209.59.171.92 DST=70.38.43.152 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=11856 DF PROTO=TCP SPT=4752 DPT=8443 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 14 19:35:30 cl-t133-040cl kernel: [68999.075732] Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:05:74:94:35:00:08:00 SRC=99.2.112.58 DST=70.38.37.71 LEN=53 TOS=0x00 PREC=0x00 TTL=116 ID=24224 PROTO=UDP SPT=58104 DPT=27050 LEN=33
Feb 14 19:35:32 cl-t133-040cl kernel: [69000.893992] Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:05:74:94:35:00:08:00 SRC=24.200.185.190 DST=70.38.37.71 LEN=53 TOS=0x00 PREC=0x00 TTL=121 ID=17793 PROTO=UDP SPT=54465 DPT=27040 LEN=33
Feb 14 19:35:40 cl-t133-040cl kernel: [69009.722213] Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:05:74:94:35:00:08:00 SRC=24.11.209.43 DST=70.38.37.71 LEN=53 TOS=0x00 PREC=0x00 TTL=113 ID=29208 PROTO=UDP SPT=55546 DPT=27040 LEN=33
Feb 14 19:36:01 cl-t133-040cl kernel: [69030.184279] Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:05:74:94:35:00:08:00 SRC=184.161.21.212 DST=70.38.37.71 LEN=53 TOS=0x00 PREC=0x00 TTL=121 ID=768 PROTO=UDP SPT=64377 DPT=27017 LEN=33
Feb 14 19:36:01 cl-t133-040cl /USR/SBIN/CRON[1928]: (root) CMD (cd /usr/share/dtc/admin && nice -n+20 /usr/share/dtc/admin/rrdtool.sh >> /var/log/dtc.log)
Feb 14 19:36:01 cl-t133-040cl postfix/pickup[1541]: 774AE8B6490: uid=0 from=<root>
Feb 14 19:36:01 cl-t133-040cl postfix/cleanup[29050]: 774AE8B6490: message-id=<20110215003601.774AE8B6490@cl-t133-040cl>
Feb 14 19:36:01 cl-t133-040cl postfix/qmgr[6112]: 774AE8B6490: from=<root@cl-t133-040cl.local>, size=651, nrcpt=1 (queue active)
Feb 14 19:36:01 cl-t133-040cl postfix/local[1732]: 774AE8B6490: to=<root@cl-t133-040cl.local>, orig_to=<root>, relay=local, delay=0.04, delays=0.04/0/0/0.01, dsn=2.0.0, status=sent (delivered to command: procmail -a "$EXTENSION")
Feb 14 19:36:01 cl-t133-040cl postfix/qmgr[6112]: 774AE8B6490: removed
Feb 14 19:36:10 cl-t133-040cl kernel: [69039.580231] Connection attempt (PRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:d0:00:c6:64:00:08:00 SRC=208.13.130.96 DST=70.38.37.71 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=6679 DF PROTO=TCP SPT=3429 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 14 19:36:13 cl-t133-040cl kernel: [69042.497423] Connection attempt (PRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:d0:00:c6:64:00:08:00 SRC=208.13.130.96 DST=70.38.37.71 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=7156 DF PROTO=TCP SPT=3429 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 14 19:36:17 cl-t133-040cl postfix/qmgr[6112]: 3759F8B63AA: from=<www-data@cl-t133-040cl.local>, size=1036, nrcpt=1 (queue active)
Feb 14 19:36:18 cl-t133-040cl postfix/smtp[1934]: 3759F8B63AA: host mx.yandex.ru[93.158.134.89] said: 451 4.5.1 The recipient <frol45evg@yandex.com> has exceeded their message rate limit. Try again later. aCteeckk-aDtWgQ6L (in reply to end of DATA command)
Feb 14 19:36:19 cl-t133-040cl postfix/smtp[1934]: 3759F8B63AA: to=<frol45evg@yandex.com>, relay=mx.yandex.ru[87.250.250.89]:25, delay=292358, delays=292356/0.01/1.6/0.51, dsn=4.5.1, status=deferred (host mx.yandex.ru[87.250.250.89] said: 451 4.5.1 The recipient <frol45evg@yandex.com> has exceeded their message rate limit. Try again later. aDR8ce4i-aERCx648 (in reply to end of DATA command))
Feb 14 19:36:22 cl-t133-040cl kernel: [69051.070632] Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:05:74:94:35:00:08:00 SRC=24.37.171.76 DST=70.38.37.71 LEN=53 TOS=0x00 PREC=0x00 TTL=122 ID=25882 PROTO=UDP SPT=55583 DPT=27040 LEN=33
Feb 14 19:36:23 cl-t133-040cl kernel: [69052.690272] Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:05:74:94:35:00:08:00 SRC=173.17.174.212 DST=70.38.37.71 LEN=53 TOS=0x00 PREC=0x00 TTL=111 ID=3699 PROTO=UDP SPT=2034 DPT=27045 LEN=33
Feb 14 19:36:59 cl-t133-040cl kernel: [69088.515746] Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:05:74:94:35:00:08:00 SRC=173.17.174.212 DST=70.38.37.71 LEN=53 TOS=0x00 PREC=0x00 TTL=111 ID=4919 PROTO=UDP SPT=2047 DPT=27045 LEN=33
Feb 14 19:37:01 cl-t133-040cl /USR/SBIN/CRON[1938]: (root) CMD (cd /usr/share/dtc/admin && nice -n+20 /usr/share/dtc/admin/rrdtool.sh >> /var/log/dtc.log)
Feb 14 19:37:01 cl-t133-040cl postfix/pickup[1541]: 7B9048B6490: uid=0 from=<root>
Feb 14 19:37:01 cl-t133-040cl postfix/cleanup[29050]: 7B9048B6490: message-id=<20110215003701.7B9048B6490@cl-t133-040cl>
Feb 14 19:37:01 cl-t133-040cl postfix/qmgr[6112]: 7B9048B6490: from=<root@cl-t133-040cl.local>, size=651, nrcpt=1 (queue active)
Feb 14 19:37:01 cl-t133-040cl postfix/local[1732]: 7B9048B6490: to=<root@cl-t133-040cl.local>, orig_to=<root>, relay=local, delay=0.03, delays=0.02/0/0/0.01, dsn=2.0.0, status=sent (delivered to command: procmail -a "$EXTENSION")
Feb 14 19:37:01 cl-t133-040cl postfix/qmgr[6112]: 7B9048B6490: removed
Feb 14 19:37:02 cl-t133-040cl kernel: [69091.635821] Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:05:74:94:35:00:08:00 SRC=24.197.26.200 DST=70.38.37.71 LEN=53 TOS=0x00 PREC=0x00 TTL=112 ID=38979 PROTO=UDP SPT=2169 DPT=27017 LEN=33
Feb 14 19:37:06 cl-t133-040cl kernel: [69095.096938] Connection attempt (PRIV): IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1b:21:1b:9c:35:08:00 SRC=70.38.37.74 DST=70.38.37.95 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=25966 PROTO=UDP SPT=137 DPT=137 LEN=58
Feb 14 19:37:12 cl-t133-040cl kernel: [69101.359070] Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:d0:00:c6:64:00:08:00 SRC=71.179.81.12 DST=70.38.37.71 LEN=53 TOS=0x00 PREC=0x00 TTL=116 ID=1912 PROTO=UDP SPT=54252 DPT=27017 LEN=33
Feb 14 19:37:42 cl-t133-040cl kernel: [69131.524929] Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:05:74:94:35:00:08:00 SRC=69.212.33.195 DST=70.38.37.71 LEN=53 TOS=0x00 PREC=0x00 TTL=113 ID=30269 PROTO=UDP SPT=56713 DPT=27017 LEN=33
Feb 14 19:37:42 cl-t133-040cl kernel: [69131.551906] Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:05:74:94:35:00:08:00 SRC=69.212.33.195 DST=70.38.37.71 LEN=53 TOS=0x00 PREC=0x00 TTL=113 ID=30283 PROTO=UDP SPT=56713 DPT=27050 LEN=33
CPU: 2.2ghz Athlon64x2
RAM: 2.0gb
Kernel: 2.6.24-28-generic
Using arno-iptables-firewall + additional rules I've messed around with trying to fix this....
For 2 days now, my server has been hit hard by something. I will provide any logs/details as needed and as much relevant info right now, as I can think of.
The server went down approx. 36 hours ago. Pings range from hundreds to thousands, up to full timeout on HLSW. The server no longer registers on steam server list.
I use port 27019 and if I configure it to run on any other port, the effect clears up. If i simply block ALL IPs via iptables, but my own, the problem clears up.
Is anybody else having this problem? It sure seems like a directed/targetted attack. I have tried every possible solution I can find using iptables, and nothing even changes it other than moving the server to a different port.
The server in question is :: Abusement Park :: Roleplay: http://apcommunity.org - 70.38.37.71:27019
I've tried disabling all addons, however, normally we run DAF (dos attack fix), rcon_block and a couple other basic/typical exploit fixing plugins.
'netstat -tan' shows no IPs connected to 27019 - only to port 80 which is fine/normal. I see nothing out of the ordinary there.
Syslog shows many many IPs attempting to connect to a variety of 270** ports, but I see no rational way of trying to block them all.
DAF logged a huge botnet attack a few months ago, consisting of over 780 IPs that I have blocked all of them with a little script i cooked up that adds them one by one via iptables. That seemed to clear up the problem for about 4 hours before the (what i'm considering now to be an) attack resumed. And again today, it stopped for about 1-2 hours.
I'm totally at a loss. Again, I'll provide any further details I can, but I really don't want to have to move my server to another port, else loose gametracker ranks (unless I just don't know how to edit my server's details with them). Not to mention, if somebody is targeting me, it won't take them long to start attacking the new port......
Please help and thank you in advance!!
Here's some additional info:
# netstat -tan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:20000 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:60000 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN
tcp 0 0 70.38.37.71:27019 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:12525 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 70.38.37.71:80 64.228.68.73:49614 SYN_RECV
tcp 0 0 127.0.0.1:9876 0.0.0.0:* LISTEN
tcp 0 0 70.38.43.158:53 0.0.0.0:* LISTEN
tcp 0 0 70.38.43.157:53 0.0.0.0:* LISTEN
tcp 0 0 70.38.43.156:53 0.0.0.0:* LISTEN
tcp 0 0 70.38.43.155:53 0.0.0.0:* LISTEN
tcp 0 0 70.38.43.154:53 0.0.0.0:* LISTEN
tcp 0 0 70.38.43.153:53 0.0.0.0:* LISTEN
tcp 0 0 70.38.37.71:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN
tcp 0 0 70.38.37.71:80 195.191.54.237:3884 TIME_WAIT
tcp 0 0 70.38.37.71:80 66.249.71.182:38100 TIME_WAIT
tcp 0 0 70.38.37.71:80 66.249.71.182:57687 ESTABLISHED
tcp 0 0 70.38.37.71:80 198.7.228.29:49151 TIME_WAIT
tcp 0 0 70.38.37.71:80 195.191.54.237:4118 TIME_WAIT
tcp 0 0 70.38.37.71:80 195.191.54.237:4410 TIME_WAIT
tcp 0 0 70.38.37.71:80 195.191.54.237:4617 TIME_WAIT
tcp 0 0 70.38.37.71:80 195.191.54.237:4336 TIME_WAIT
tcp 0 0 70.38.37.71:80 195.191.54.237:4389 TIME_WAIT
tcp 0 0 70.38.37.71:80 195.191.54.237:4364 TIME_WAIT
tcp 0 0 70.38.37.71:80 198.7.228.29:47896 TIME_WAIT
tcp 0 0 70.38.37.71:80 198.7.228.29:48876 TIME_WAIT
tcp6 0 0 :::48939 :::* LISTEN
tcp6 0 0 :::110 :::* LISTEN
tcp6 0 0 :::1935 :::* LISTEN
tcp6 0 0 :::9999 :::* LISTEN
tcp6 0 0 :::143 :::* LISTEN
tcp6 0 0 :::53 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::5080 :::* LISTEN
tcp6 0 0 :::8088 :::* LISTEN
tcp6 0 0 ::1:953 :::* LISTEN
tcp6 0 0 :::8443 :::* LISTEN
tcp6 0 0 70.38.37.71:48939 70.38.37.71:41800 ESTABLISHED
tcp6 0 0 70.38.37.71:41800 70.38.37.71:48939 ESTABLISHED
Latest page from /var/log/syslog:
Feb 14 19:35:01 cl-t133-040cl postfix/cleanup[29050]: 6E4B68B6490: message-id=<20110215003501.6E4B68B6490@cl-t133-040cl>
Feb 14 19:35:01 cl-t133-040cl postfix/qmgr[6112]: 6E4B68B6490: from=<root@cl-t133-040cl.local>, size=651, nrcpt=1 (queue active)
Feb 14 19:35:01 cl-t133-040cl postfix/local[1732]: 6E4B68B6490: to=<root@cl-t133-040cl.local>, orig_to=<root>, relay=local, delay=0.07, delays=0.06/0/0/0.01, dsn=2.0.0, status=sent (delivered to command: procmail -a "$EXTENSION")
Feb 14 19:35:01 cl-t133-040cl postfix/qmgr[6112]: 6E4B68B6490: removed
Feb 14 19:35:16 cl-t133-040cl kernel: [68985.385700] Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:05:74:94:35:00:08:00 SRC=209.59.171.92 DST=70.38.37.71 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=4304 DF PROTO=TCP SPT=1571 DPT=8443 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 14 19:35:19 cl-t133-040cl kernel: [68988.357392] Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:05:74:94:35:00:08:00 SRC=209.59.171.92 DST=70.38.37.71 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=6215 DF PROTO=TCP SPT=1571 DPT=8443 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 14 19:35:29 cl-t133-040cl kernel: [68998.012432] Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:05:74:94:35:00:08:00 SRC=209.59.171.92 DST=70.38.43.152 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=11856 DF PROTO=TCP SPT=4752 DPT=8443 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 14 19:35:30 cl-t133-040cl kernel: [68999.075732] Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:05:74:94:35:00:08:00 SRC=99.2.112.58 DST=70.38.37.71 LEN=53 TOS=0x00 PREC=0x00 TTL=116 ID=24224 PROTO=UDP SPT=58104 DPT=27050 LEN=33
Feb 14 19:35:32 cl-t133-040cl kernel: [69000.893992] Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:05:74:94:35:00:08:00 SRC=24.200.185.190 DST=70.38.37.71 LEN=53 TOS=0x00 PREC=0x00 TTL=121 ID=17793 PROTO=UDP SPT=54465 DPT=27040 LEN=33
Feb 14 19:35:40 cl-t133-040cl kernel: [69009.722213] Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:05:74:94:35:00:08:00 SRC=24.11.209.43 DST=70.38.37.71 LEN=53 TOS=0x00 PREC=0x00 TTL=113 ID=29208 PROTO=UDP SPT=55546 DPT=27040 LEN=33
Feb 14 19:36:01 cl-t133-040cl kernel: [69030.184279] Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:05:74:94:35:00:08:00 SRC=184.161.21.212 DST=70.38.37.71 LEN=53 TOS=0x00 PREC=0x00 TTL=121 ID=768 PROTO=UDP SPT=64377 DPT=27017 LEN=33
Feb 14 19:36:01 cl-t133-040cl /USR/SBIN/CRON[1928]: (root) CMD (cd /usr/share/dtc/admin && nice -n+20 /usr/share/dtc/admin/rrdtool.sh >> /var/log/dtc.log)
Feb 14 19:36:01 cl-t133-040cl postfix/pickup[1541]: 774AE8B6490: uid=0 from=<root>
Feb 14 19:36:01 cl-t133-040cl postfix/cleanup[29050]: 774AE8B6490: message-id=<20110215003601.774AE8B6490@cl-t133-040cl>
Feb 14 19:36:01 cl-t133-040cl postfix/qmgr[6112]: 774AE8B6490: from=<root@cl-t133-040cl.local>, size=651, nrcpt=1 (queue active)
Feb 14 19:36:01 cl-t133-040cl postfix/local[1732]: 774AE8B6490: to=<root@cl-t133-040cl.local>, orig_to=<root>, relay=local, delay=0.04, delays=0.04/0/0/0.01, dsn=2.0.0, status=sent (delivered to command: procmail -a "$EXTENSION")
Feb 14 19:36:01 cl-t133-040cl postfix/qmgr[6112]: 774AE8B6490: removed
Feb 14 19:36:10 cl-t133-040cl kernel: [69039.580231] Connection attempt (PRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:d0:00:c6:64:00:08:00 SRC=208.13.130.96 DST=70.38.37.71 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=6679 DF PROTO=TCP SPT=3429 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 14 19:36:13 cl-t133-040cl kernel: [69042.497423] Connection attempt (PRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:d0:00:c6:64:00:08:00 SRC=208.13.130.96 DST=70.38.37.71 LEN=48 TOS=0x00 PREC=0x00 TTL=115 ID=7156 DF PROTO=TCP SPT=3429 DPT=445 WINDOW=65535 RES=0x00 SYN URGP=0
Feb 14 19:36:17 cl-t133-040cl postfix/qmgr[6112]: 3759F8B63AA: from=<www-data@cl-t133-040cl.local>, size=1036, nrcpt=1 (queue active)
Feb 14 19:36:18 cl-t133-040cl postfix/smtp[1934]: 3759F8B63AA: host mx.yandex.ru[93.158.134.89] said: 451 4.5.1 The recipient <frol45evg@yandex.com> has exceeded their message rate limit. Try again later. aCteeckk-aDtWgQ6L (in reply to end of DATA command)
Feb 14 19:36:19 cl-t133-040cl postfix/smtp[1934]: 3759F8B63AA: to=<frol45evg@yandex.com>, relay=mx.yandex.ru[87.250.250.89]:25, delay=292358, delays=292356/0.01/1.6/0.51, dsn=4.5.1, status=deferred (host mx.yandex.ru[87.250.250.89] said: 451 4.5.1 The recipient <frol45evg@yandex.com> has exceeded their message rate limit. Try again later. aDR8ce4i-aERCx648 (in reply to end of DATA command))
Feb 14 19:36:22 cl-t133-040cl kernel: [69051.070632] Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:05:74:94:35:00:08:00 SRC=24.37.171.76 DST=70.38.37.71 LEN=53 TOS=0x00 PREC=0x00 TTL=122 ID=25882 PROTO=UDP SPT=55583 DPT=27040 LEN=33
Feb 14 19:36:23 cl-t133-040cl kernel: [69052.690272] Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:05:74:94:35:00:08:00 SRC=173.17.174.212 DST=70.38.37.71 LEN=53 TOS=0x00 PREC=0x00 TTL=111 ID=3699 PROTO=UDP SPT=2034 DPT=27045 LEN=33
Feb 14 19:36:59 cl-t133-040cl kernel: [69088.515746] Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:05:74:94:35:00:08:00 SRC=173.17.174.212 DST=70.38.37.71 LEN=53 TOS=0x00 PREC=0x00 TTL=111 ID=4919 PROTO=UDP SPT=2047 DPT=27045 LEN=33
Feb 14 19:37:01 cl-t133-040cl /USR/SBIN/CRON[1938]: (root) CMD (cd /usr/share/dtc/admin && nice -n+20 /usr/share/dtc/admin/rrdtool.sh >> /var/log/dtc.log)
Feb 14 19:37:01 cl-t133-040cl postfix/pickup[1541]: 7B9048B6490: uid=0 from=<root>
Feb 14 19:37:01 cl-t133-040cl postfix/cleanup[29050]: 7B9048B6490: message-id=<20110215003701.7B9048B6490@cl-t133-040cl>
Feb 14 19:37:01 cl-t133-040cl postfix/qmgr[6112]: 7B9048B6490: from=<root@cl-t133-040cl.local>, size=651, nrcpt=1 (queue active)
Feb 14 19:37:01 cl-t133-040cl postfix/local[1732]: 7B9048B6490: to=<root@cl-t133-040cl.local>, orig_to=<root>, relay=local, delay=0.03, delays=0.02/0/0/0.01, dsn=2.0.0, status=sent (delivered to command: procmail -a "$EXTENSION")
Feb 14 19:37:01 cl-t133-040cl postfix/qmgr[6112]: 7B9048B6490: removed
Feb 14 19:37:02 cl-t133-040cl kernel: [69091.635821] Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:05:74:94:35:00:08:00 SRC=24.197.26.200 DST=70.38.37.71 LEN=53 TOS=0x00 PREC=0x00 TTL=112 ID=38979 PROTO=UDP SPT=2169 DPT=27017 LEN=33
Feb 14 19:37:06 cl-t133-040cl kernel: [69095.096938] Connection attempt (PRIV): IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1b:21:1b:9c:35:08:00 SRC=70.38.37.74 DST=70.38.37.95 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=25966 PROTO=UDP SPT=137 DPT=137 LEN=58
Feb 14 19:37:12 cl-t133-040cl kernel: [69101.359070] Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:d0:00:c6:64:00:08:00 SRC=71.179.81.12 DST=70.38.37.71 LEN=53 TOS=0x00 PREC=0x00 TTL=116 ID=1912 PROTO=UDP SPT=54252 DPT=27017 LEN=33
Feb 14 19:37:42 cl-t133-040cl kernel: [69131.524929] Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:05:74:94:35:00:08:00 SRC=69.212.33.195 DST=70.38.37.71 LEN=53 TOS=0x00 PREC=0x00 TTL=113 ID=30269 PROTO=UDP SPT=56713 DPT=27017 LEN=33
Feb 14 19:37:42 cl-t133-040cl kernel: [69131.551906] Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:1b:21:22:da:6c:00:05:74:94:35:00:08:00 SRC=69.212.33.195 DST=70.38.37.71 LEN=53 TOS=0x00 PREC=0x00 TTL=113 ID=30283 PROTO=UDP SPT=56713 DPT=27050 LEN=33
