I have logcheck configured to send me daily reports of system log anomalies, and expect to see endless port scans and cracking attempts from all over the world. However, for the last week or so, I've been getting entries like below, always with the same source address...which belongs to apple.com.
Code:
Feb 7 12:32:56 zero kernel: Shorewall:logflags:DROP:IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=17.10.13.204 DST=XX.XX.XX.XX LEN=50 TOS=0x00 PREC=0x00 TTL=51 ID=100 PROTO=TCP SPT=48696 DPT=80 WINDOW=32767 RES=0x00 URGP=0
Feb 7 12:32:56 zero kernel: Shorewall:logflags:DROP:IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=17.10.13.204 DST=XX.XX.XX.XX LEN=50 TOS=0x00 PREC=0x00 TTL=52 ID=100 PROTO=TCP SPT=48640 DPT=80 WINDOW=32767 RES=0x00 URGP=0
Feb 7 12:32:56 zero kernel: Shorewall:logflags:DROP:IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=17.10.13.204 DST=XX.XX.XX.XX LEN=50 TOS=0x00 PREC=0x00 TTL=51 ID=100 PROTO=TCP SPT=48696 DPT=80 WINDOW=32767 RES=0x00 URGP=0
The destination port is always 80. Of course I can blacklist this IP, but I'm curious as to what is going on here. Any ideas?
FAQ
Search
Members
Register
Login [ Anonymous ]
