Quote:
Originally Posted by unSpawn
Hello and welcome to LQ, hope you like it here.
the modem on my firewall box will be receiving packets (and acknowledging them)
Please don't talk *about* things, show the logs instead.
BTW, did you audit the box in any way? System and application logs? Login entries? Tiger? Chkrootkit? Aide? Rootkit Hunter?
|
Thanks for the non-automated welcome, unSpawn.
I've just started going through the logs, spurred by pangs of guilt you've inspired. I did run both chkrootkit and rkhunter on both machines that were running at the time, and they found little to complain about. (ssh root logins enabled on both, plus hidden directories, harmless, I think, in /dev) I also checked my firewall at
https://www.grc.com/x/ne.dll?bh0bkyd2 (link found over at Linux Forums in the "A short guide to security" sticky post in the security forum. The firewall came up clean, but that was after a reboot, so I don't know if it was working right when I pulled the plug.
Now for the logfiles:
(Lines starting with #Non are my comments)
For the relevant time period I see in user.log:
Jul 12 12:44:18 localhost shutdown[6872]: shutting down for system halt
Jul 12 12:44:23 localhost cupsd: Unable to open log file "/var/log/cups/error_log" - Permission denied
Jul 12 13:29:33 localhost hpiod: 0.9.7 accepting connections at 56232...
#Non This seems to mean that I pulled the plug (politely) at 12:44:18 and
#Non powered up again about 3/4 hour later.
Starting from 9:52:39 local time yesterday, syslog reads: (you asked for it)
Jul 12 09:52:39 localhost kernel: [37938.186736] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.103.153 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=36385 PROTO=UDP SPT=34735 DPT=1028 LEN=492
Jul 12 09:52:39 localhost dnsmasq[4821]: query[AAAA] gcc.gnu.org from 192.168.0.100
Jul 12 09:52:39 localhost dnsmasq[4821]: forwarded gcc.gnu.org to 203.194.27.57
#Non Here's me looking for the compiler
Jul 12 09:52:40 localhost dnsmasq[4821]: reply gcc.gnu.org is <NODATA>-IPv6
Jul 12 09:52:40 localhost dnsmasq[4821]: query[AAAA] gcc.gnu.org.localnet from 192.168.0.100
Jul 12 09:52:40 localhost dnsmasq[4821]: config gcc.gnu.org.localnet is <NXDOMAIN>-IPv6
Jul 12 09:52:40 localhost dnsmasq[4821]: query[A] gcc.gnu.org from 192.168.0.100
Jul 12 09:52:40 localhost dnsmasq[4821]: forwarded gcc.gnu.org to 203.194.27.57
Jul 12 09:52:40 localhost dnsmasq[4821]: reply gcc.gnu.org is 209.132.176.174
Jul 12 09:52:43 localhost dnsmasq[4821]: query[AAAA]
www.w3.org from 192.168.0.100
Jul 12 09:52:43 localhost dnsmasq[4821]: forwarded
www.w3.org to 203.194.27.57
Jul 12 09:52:43 localhost dnsmasq[4821]: reply
www.w3.org is <NODATA>-IPv6
Jul 12 09:52:43 localhost dnsmasq[4821]: query[AAAA]
www.w3.org.localnet from 192.168.0.100
Jul 12 09:52:43 localhost dnsmasq[4821]: config
www.w3.org.localnet is <NXDOMAIN>-IPv6
Jul 12 09:52:43 localhost dnsmasq[4821]: query[A]
www.w3.org from 192.168.0.100
Jul 12 09:52:43 localhost dnsmasq[4821]: forwarded
www.w3.org to 203.194.27.57
Jul 12 09:52:44 localhost dnsmasq[4821]: reply
www.w3.org is 128.30.52.47
Jul 12 09:52:44 localhost dnsmasq[4821]: reply
www.w3.org is 128.30.52.52
Jul 12 09:52:44 localhost dnsmasq[4821]: reply
www.w3.org is 128.30.52.53
Jul 12 09:52:44 localhost dnsmasq[4821]: reply
www.w3.org is 128.30.52.54
Jul 12 09:52:44 localhost dnsmasq[4821]: reply
www.w3.org is 193.51.208.69
Jul 12 09:52:44 localhost dnsmasq[4821]: reply
www.w3.org is 128.30.52.31
Jul 12 09:52:44 localhost dnsmasq[4821]: reply
www.w3.org is 128.30.52.45
Jul 12 09:52:44 localhost dnsmasq[4821]: reply
www.w3.org is 128.30.52.46
Jul 12 09:53:32 localhost dnsmasq[4821]: query[AAAA] ftp.dti.ad.jp from 192.168.0.100
Jul 12 09:53:32 localhost dnsmasq[4821]: forwarded ftp.dti.ad.jp to 203.194.27.57
#Non Here's me selecting a mirror in Japan.
Jul 12 09:53:33 localhost dnsmasq[4821]: reply ftp.dti.ad.jp is 2001:2e8:22:12::2
Jul 12 09:53:33 localhost dnsmasq[4821]: query[A] ftp.dti.ad.jp from 192.168.0.100
Jul 12 09:53:33 localhost dnsmasq[4821]: forwarded ftp.dti.ad.jp to 203.194.27.57
Jul 12 09:53:33 localhost dnsmasq[4821]: reply ftp.dti.ad.jp is 202.216.228.228
Jul 12 09:53:36 localhost dnsmasq[4821]: query[AAAA] graeme-vaio.localnet from 192.168.0.100
Jul 12 09:53:36 localhost dnsmasq[4821]: config graeme-vaio.localnet is <NODATA>-IPv6
Jul 12 09:54:32 localhost kernel: [38051.441413] 'PASS-unknown:'IN=eth0 OUT=ppp0 SRC=192.168.0.100 DST=72.5.124.95 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=51351 DF PROTO=TCP SPT=43701 DPT=80 WINDOW=501 RES=0x00 ACK FIN URGP=0
Jul 12 09:54:53 localhost kernel: [38072.337619] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=221.208.208.98 DST=203.221.65.97 LEN=486 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=41017 DPT=1026 LEN=466
Jul 12 09:55:06 localhost dnsmasq[4821]: query[AAAA] sb.google.com from 192.168.0.100
Jul 12 09:55:06 localhost dnsmasq[4821]: forwarded sb.google.com to 203.194.27.57
Jul 12 09:55:11 localhost dnsmasq[4821]: query[AAAA] sb.google.com from 192.168.0.100
Jul 12 09:55:11 localhost dnsmasq[4821]: forwarded sb.google.com to 203.194.56.150
Jul 12 09:55:11 localhost dnsmasq[4821]: forwarded sb.google.com to 203.194.27.57
Jul 12 09:55:12 localhost dnsmasq[4821]: reply sb.google.com is <CNAME>
Jul 12 09:55:12 localhost dnsmasq[4821]: reply sb.l.google.com is <NODATA>-IPv6
Jul 12 09:55:12 localhost dnsmasq[4821]: query[A] sb.google.com from 192.168.0.100
Jul 12 09:55:12 localhost dnsmasq[4821]: cached sb.google.com is <CNAME>
Jul 12 09:55:12 localhost dnsmasq[4821]: forwarded sb.google.com to 203.194.27.57
Jul 12 09:55:14 localhost dnsmasq[4821]: query[AAAA]
www.sohpodcast.com from 192.168.0.100
Jul 12 09:55:14 localhost dnsmasq[4821]: forwarded
www.sohpodcast.com to 203.194.27.57
Jul 12 09:55:16 localhost kernel: [38094.819748] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.51.94 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=45159 PROTO=UDP SPT=5302 DPT=1026 LEN=492
Jul 12 09:55:16 localhost kernel: [38094.911694] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.51.94 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=45160 PROTO=UDP SPT=5302 DPT=1027 LEN=492
Jul 12 09:55:16 localhost kernel: [38095.003689] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.51.94 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=45161 PROTO=UDP SPT=5302 DPT=1028 LEN=492
Jul 12 09:55:17 localhost dnsmasq[4821]: query[A] sb.google.com from 192.168.0.100
Jul 12 09:55:17 localhost dnsmasq[4821]: cached sb.google.com is <CNAME>
Jul 12 09:55:17 localhost dnsmasq[4821]: forwarded sb.google.com to 203.194.56.150
Jul 12 09:55:17 localhost dnsmasq[4821]: forwarded sb.google.com to 203.194.27.57
Jul 12 09:55:17 localhost dnsmasq[4821]: reply sb.google.com is <CNAME>
Jul 12 09:55:17 localhost dnsmasq[4821]: reply sb.l.google.com is 72.14.253.93
Jul 12 09:55:17 localhost dnsmasq[4821]: reply sb.l.google.com is 72.14.253.95
Jul 12 09:55:17 localhost dnsmasq[4821]: reply sb.l.google.com is 72.14.253.91
Jul 12 09:55:19 localhost dnsmasq[4821]: query[AAAA]
www.sohpodcast.com from 192.168.0.100
Jul 12 09:55:19 localhost dnsmasq[4821]: forwarded
www.sohpodcast.com to 203.194.56.150
Jul 12 09:55:19 localhost dnsmasq[4821]: forwarded
www.sohpodcast.com to 203.194.27.57
Jul 12 09:55:20 localhost dnsmasq[4821]: reply
www.sohpodcast.com is <NODATA>-IPv6
Jul 12 09:55:20 localhost dnsmasq[4821]: query[AAAA]
www.sohpodcast.com.localnet from 192.168.0.100
Jul 12 09:55:20 localhost dnsmasq[4821]: config
www.sohpodcast.com.localnet is <NXDOMAIN>-IPv6
Jul 12 09:55:20 localhost dnsmasq[4821]: query[A]
www.sohpodcast.com from 192.168.0.100
Jul 12 09:55:20 localhost dnsmasq[4821]: forwarded
www.sohpodcast.com to 203.194.27.57
Jul 12 09:55:25 localhost dnsmasq[4821]: query[A]
www.sohpodcast.com from 192.168.0.100
Jul 12 09:55:25 localhost dnsmasq[4821]: forwarded
www.sohpodcast.com to 203.194.56.150
Jul 12 09:55:25 localhost dnsmasq[4821]: forwarded
www.sohpodcast.com to 203.194.27.57
Jul 12 09:55:26 localhost dnsmasq[4821]: reply
www.sohpodcast.com is 68.225.16.140
Jul 12 09:55:47 localhost kernel: [38125.945543] 'PASS-unknown:'IN=eth0 OUT=ppp0 SRC=192.168.0.100 DST=72.5.124.95 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=51352 DF PROTO=TCP SPT=43701 DPT=80 WINDOW=501 RES=0x00 ACK FIN URGP=0
Jul 12 09:57:38 localhost kernel: [38237.052657] 'PASS-unknown:'IN=eth0 OUT=ppp0 SRC=192.168.0.100 DST=68.225.16.140 LEN=355 TOS=0x00 PREC=0x00 TTL=63 ID=53458 DF PROTO=TCP SPT=34906 DPT=80 WINDOW=46 RES=0x00 ACK PSH FIN URGP=0
Jul 12 09:59:20 localhost kernel: [38339.495763] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=221.208.208.104 DST=203.221.65.97 LEN=486 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=50614 DPT=1026 LEN=466
#Non What are these? Dropped packets, perhaps??
#Non Anyhow, I get a lot of them cluttering up syslog.
Jul 12 10:16:49 localhost kernel: [39387.586518] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=221.208.208.98 DST=203.221.65.97 LEN=486 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=49857 DPT=1027 LEN=466
Jul 12 10:17:01 localhost /USR/SBIN/CRON[6790]: (root) CMD ( run-parts --report /etc/cron.hourly)
Jul 12 10:17:15 localhost kernel: [39414.520192] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=202.97.238.203 DST=203.221.65.97 LEN=485 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=59025 DPT=1026 LEN=465
...
Jul 12 10:24:41 localhost kernel: [39859.762653] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=202.97.238.199 DST=203.221.65.97 LEN=485 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=57419 DPT=1026 LEN=465
Jul 12 10:25:04 localhost kernel: [39883.028698] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=221.208.208.96 DST=203.221.65.97 LEN=486 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=34142 DPT=1026 LEN=466
Jul 12 10:25:46 localhost kernel: [39924.717175] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=221.208.208.93 DST=203.221.65.97 LEN=486 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=47906 DPT=1026 LEN=466
Jul 12 10:25:46 localhost kernel: [39924.801112] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=221.208.208.93 DST=203.221.65.97 LEN=486 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=47906 DPT=1027 LEN=466
...
Jul 12 10:32:14 localhost kernel: [40313.276291] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.65.2.2 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=35343 PROTO=UDP SPT=4379 DPT=1028 LEN=492
Jul 12 10:34:05 localhost kernel: [40423.507052] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=218.27.148.78 DST=203.221.65.97 LEN=485 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=UDP SPT=56915 DPT=1026 LEN=465
Jul 12 10:34:05 localhost kernel: [40423.590983] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=218.27.148.78 DST=203.221.65.97 LEN=485 TOS=0x00 PREC=0x00 TTL=49 ID=0 DF PROTO=UDP SPT=56916 DPT=1027 LEN=465
Jul 12 10:34:11 localhost dnsmasq[4821]: query[AAAA] sb.google.com from 192.168.0.100
Jul 12 10:34:11 localhost dnsmasq[4821]: cached sb.google.com is <CNAME>
Jul 12 10:34:11 localhost dnsmasq[4821]: forwarded sb.google.com to 203.194.27.57
Jul 12 10:34:12 localhost dnsmasq[4821]: reply sb.google.com is <CNAME>
Jul 12 10:34:12 localhost dnsmasq[4821]: reply sb.l.google.com is <NODATA>-IPv6
Jul 12 10:34:12 localhost dnsmasq[4821]: query[A] sb.google.com from 192.168.0.100
Jul 12 10:34:12 localhost dnsmasq[4821]: cached sb.google.com is <CNAME>
Jul 12 10:34:12 localhost dnsmasq[4821]: forwarded sb.google.com to 203.194.27.57
Jul 12 10:34:13 localhost dnsmasq[4821]: reply sb.google.com is <CNAME>
Jul 12 10:34:13 localhost dnsmasq[4821]: reply sb.l.google.com is 72.14.253.93
Jul 12 10:34:13 localhost dnsmasq[4821]: reply sb.l.google.com is 72.14.253.95
Jul 12 10:34:13 localhost dnsmasq[4821]: reply sb.l.google.com is 72.14.253.91
#Non I don't know what google is doing here - I was watching the movie.
Jul 12 10:34:52 localhost kernel: [40471.042989] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.222.158 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=23805 PROTO=UDP SPT=15283 DPT=1028 LEN=492
Jul 12 10:34:52 localhost kernel: [40471.130972] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.222.158 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=23803 PROTO=UDP SPT=15283 DPT=1026 LEN=492
...
Jul 12 10:51:13 localhost kernel: [41451.552110] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=203.221.33.230 DST=203.221.65.97 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=5227 DF PROTO=TCP SPT=3237 DPT=445 WINDOW=8760 RES=0x00 SYN URGP=0
Jul 12 10:51:50 localhost dnsmasq[4821]: query[AAAA] newsrss.bbc.co.uk from 192.168.0.100
Jul 12 10:51:50 localhost dnsmasq[4821]: forwarded newsrss.bbc.co.uk to 203.194.27.57
Jul 12 10:51:51 localhost dnsmasq[4821]: reply newsrss.bbc.co.uk is <CNAME>
Jul 12 10:51:51 localhost dnsmasq[4821]: query[A] newsrss.bbc.co.uk from 192.168.0.100
Jul 12 10:51:51 localhost dnsmasq[4821]: forwarded newsrss.bbc.co.uk to 203.194.27.57
Jul 12 10:51:52 localhost dnsmasq[4821]: reply newsrss.bbc.co.uk is <CNAME>
Jul 12 10:51:52 localhost dnsmasq[4821]: reply newsrss.bbc.net.uk is 212.58.240.134
#Non This looks like it's the BBC headlines in the Firefox toolbar.
Jul 12 10:53:37 localhost dnsmasq[4821]: query[AAAA] graeme-vaio.localnet from 192.168.0.100
Jul 12 10:53:37 localhost dnsmasq[4821]: config graeme-vaio.localnet is <NODATA>-IPv6
Jul 12 10:55:34 localhost kernel: [41712.490139] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=221.208.208.97 DST=203.221.65.97 LEN=486 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=59877 DPT=1026 LEN=466
...
Jul 12 11:34:06 localhost kernel: [44024.582848] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.142.27 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=487 PROTO=UDP SPT=29526 DPT=1026 LEN=492
Jul 12 11:34:06 localhost kernel: [44024.674783] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.142.27 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=488 PROTO=UDP SPT=29526 DPT=1027 LEN=492
Jul 12 11:34:06 localhost kernel: [44024.762770] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.142.27 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=489 PROTO=UDP SPT=29526 DPT=1028 LEN=492
Jul 12 11:34:12 localhost dnsmasq[4821]: query[AAAA] sb.google.com from 192.168.0.100
Jul 12 11:34:12 localhost dnsmasq[4821]: cached sb.google.com is <CNAME>
Jul 12 11:34:12 localhost dnsmasq[4821]: forwarded sb.google.com to 203.194.27.57
Jul 12 11:34:12 localhost dnsmasq[4821]: reply sb.google.com is <CNAME>
Jul 12 11:34:12 localhost dnsmasq[4821]: reply sb.l.google.com is <NODATA>-IPv6
Jul 12 11:34:12 localhost dnsmasq[4821]: query[A] sb.google.com from 192.168.0.100
Jul 12 11:34:12 localhost dnsmasq[4821]: cached sb.google.com is <CNAME>
Jul 12 11:34:12 localhost dnsmasq[4821]: forwarded sb.google.com to 203.194.27.57
Jul 12 11:34:14 localhost dnsmasq[4821]: reply sb.google.com is <CNAME>
Jul 12 11:34:14 localhost dnsmasq[4821]: reply sb.l.google.com is 72.14.253.93
Jul 12 11:34:14 localhost dnsmasq[4821]: reply sb.l.google.com is 72.14.253.95
Jul 12 11:34:14 localhost dnsmasq[4821]: reply sb.l.google.com is 72.14.253.91
Jul 12 11:35:16 localhost kernel: [44094.300951] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.141.157 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=5797 PROTO=UDP SPT=16091 DPT=1026 LEN=492
Jul 12 11:35:16 localhost kernel: [44094.388894] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.141.157 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=5798 PROTO=UDP SPT=16091 DPT=1027 LEN=492
Jul 12 11:35:16 localhost kernel: [44094.480877] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.141.157 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=5799 PROTO=UDP SPT=16091 DPT=1028 LEN=492
...
Jul 12 12:01:04 localhost kernel: [45642.174156] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=221.208.208.94 DST=203.221.65.97 LEN=485 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=39952 DPT=1026 LEN=465
Jul 12 12:01:04 localhost kernel: [45642.262147] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=221.208.208.94 DST=203.221.65.97 LEN=485 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=39952 DPT=1027 LEN=465
Jul 12 12:04:12 localhost dnsmasq[4821]: query[AAAA] sb.google.com from 192.168.0.100
Jul 12 12:04:12 localhost dnsmasq[4821]: cached sb.google.com is <CNAME>
Jul 12 12:04:12 localhost dnsmasq[4821]: forwarded sb.google.com to 203.194.27.57
Jul 12 12:04:13 localhost dnsmasq[4821]: reply sb.google.com is <CNAME>
Jul 12 12:04:13 localhost dnsmasq[4821]: reply sb.l.google.com is <NODATA>-IPv6
Jul 12 12:04:13 localhost dnsmasq[4821]: query[A] sb.google.com from 192.168.0.100
Jul 12 12:04:13 localhost dnsmasq[4821]: cached sb.google.com is <CNAME>
Jul 12 12:04:13 localhost dnsmasq[4821]: forwarded sb.google.com to 203.194.27.57
Jul 12 12:04:14 localhost dnsmasq[4821]: reply sb.google.com is <CNAME>
Jul 12 12:04:14 localhost dnsmasq[4821]: reply sb.l.google.com is 72.14.253.95
Jul 12 12:04:14 localhost dnsmasq[4821]: reply sb.l.google.com is 72.14.253.91
Jul 12 12:04:14 localhost dnsmasq[4821]: reply sb.l.google.com is 72.14.253.93
Jul 12 12:05:02 localhost kernel: [45880.306100] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=221.208.208.212 DST=203.221.65.97 LEN=486 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=60176 DPT=1027 LEN=466
Jul 12 12:05:04 localhost kernel: [45882.501842] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=221.208.208.92 DST=203.221.65.97 LEN=486 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=35506 DPT=1026 LEN=466
Jul 12 12:06:15 localhost kernel: [45952.671986] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.58.112 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=6609 PROTO=UDP SPT=24769 DPT=1026 LEN=492
#Non The timestamp on the gcc source I was downloading is 12:07, so
#Non from here until about 12:44 I don't know what's going on.
Jul 12 12:19:02 localhost kernel: [46719.951099] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=221.208.208.98 DST=203.221.65.97 LEN=486 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=42996 DPT=1027 LEN=466
Jul 12 12:19:07 localhost kernel: [46725.266699] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=203.221.238.210 DST=203.221.65.97 LEN=48 TOS=0x00 PREC=0x00 TTL=124 ID=59458 DF PROTO=TCP SPT=3197 DPT=445 WINDOW=8760 RES=0x00 SYN URGP=0
Jul 12 12:19:10 localhost kernel: [46728.382434] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=203.221.238.210 DST=203.221.65.97 LEN=48 TOS=0x00 PREC=0x00 TTL=124 ID=59733 DF PROTO=TCP SPT=3197 DPT=445 WINDOW=8760 RES=0x00 SYN URGP=0
Jul 12 12:22:14 localhost kernel: [46912.042923] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=202.97.238.203 DST=203.221.65.97 LEN=485 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=44269 DPT=1026 LEN=465
Jul 12 12:22:58 localhost kernel: [46956.463178] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=221.208.208.97 DST=203.221.65.97 LEN=486 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=34391 DPT=1027 LEN=466
Jul 12 12:23:33 localhost kernel: [46991.208234] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=221.209.110.13 DST=203.221.65.97 LEN=485 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=45539 DPT=1027 LEN=465
Jul 12 12:23:39 localhost dnsmasq[4821]: query[AAAA] graeme-vaio.localnet from 192.168.0.100
Jul 12 12:23:39 localhost dnsmasq[4821]: config graeme-vaio.localnet is <NODATA>-IPv6
Jul 12 12:28:37 localhost kernel: [47294.734558] ''IN-dialup':'IN=ppp0 OUT= MAC= SRC=121.131.231.235 DST=203.221.65.97 LEN=395 TOS=0x00 PREC=0x00 TTL=56 ID=56110 PROTO=UDP SPT=30698 DPT=1026 LEN=375
...
Jul 12 12:37:08 localhost kernel: [47805.647383] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.178.156 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=23823 PROTO=UDP SPT=30418 DPT=1027 LEN=492
Jul 12 12:37:08 localhost kernel: [47805.737192] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.178.156 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=23824 PROTO=UDP SPT=30418 DPT=1028 LEN=492
Jul 12 12:38:15 localhost kernel: [47872.617750] ''IN-dialup':'IN=ppp0 OUT= MAC= SRC=125.7.214.164 DST=203.221.65.97 LEN=40 TOS=0x00 PREC=0x00 TTL=113 ID=256 PROTO=TCP SPT=46984 DPT=5900 WINDOW=55808 RES=0x00 SYN URGP=0
Jul 12 12:38:25 localhost kernel: [47882.348960] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.160.115 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=64838 PROTO=UDP SPT=13539 DPT=1027 LEN=492
Jul 12 12:38:25 localhost kernel: [47882.436894] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.160.115 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=64837 PROTO=UDP SPT=13539 DPT=1026 LEN=492
Jul 12 12:38:25 localhost kernel: [47882.524891] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.160.115 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=64839 PROTO=UDP SPT=13539 DPT=1028 LEN=492
Jul 12 12:39:12 localhost kernel: [47929.508974] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=221.209.110.13 DST=203.221.65.97 LEN=485 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=UDP SPT=51555 DPT=1026 LEN=465
...
Jul 12 12:42:53 localhost kernel: [48150.974280] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.215.16 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=8228 PROTO=UDP SPT=29384 DPT=1028 LEN=492
Jul 12 12:42:53 localhost kernel: [48151.062208] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.215.16 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=8226 PROTO=UDP SPT=29384 DPT=1026 LEN=492
Jul 12 12:42:53 localhost kernel: [48151.154199] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=24.64.215.16 DST=203.221.65.97 LEN=512 TOS=0x00 PREC=0x00 TTL=68 ID=8227 PROTO=UDP SPT=29384 DPT=1027 LEN=492
Jul 12 12:43:02 localhost kernel: [48159.633539] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=203.221.86.10 DST=203.221.65.97 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=47821 DF PROTO=TCP SPT=22909 DPT=445 WINDOW=8760 RES=0x00 SYN URGP=0
Jul 12 12:43:04 localhost kernel: [48162.169282] ''IN-internet':'IN=ppp0 OUT= MAC= SRC=203.221.86.10 DST=203.221.65.97 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=48273 DF PROTO=TCP SPT=22909 DPT=445 WINDOW=8760 RES=0x00 SYN URGP=0
Jul 12 12:43:42 localhost pppd[6341]: Hangup (SIGHUP)
#Non I flicked the power switch on the modem here
Jul 12 12:43:42 localhost pppd[6341]: Modem hangup
Jul 12 12:43:42 localhost pppd[6341]: Connect time 736.1 minutes.
Jul 12 12:43:42 localhost pppd[6341]: Sent 6820768 bytes, received 99357069 bytes.
Jul 12 12:43:42 localhost pppd[6341]: Script /etc/ppp/ip-down started (pid 6800)
Jul 12 12:43:42 localhost pppd[6341]: Connection terminated.
Jul 12 12:43:42 localhost pppd[6341]: Script /etc/ppp/ip-down finished (pid 6800), status = 0x0
Jul 12 12:44:16 localhost kdm_greet[5964]: Internal error: memory corruption detected
#Non I don't know what that was, or whether it's typical for my system.
Jul 12 12:44:18 localhost shutdown[6872]: shutting down for system halt
Jul 12 12:44:18 localhost init: Switching to runlevel: 0
Jul 12 12:44:23 localhost cupsd: Unable to open log file
I'm only guessing that the most numerous type of messages are from
packets dropped packets. Can someone confirm/refute that?
Any other assistance with deciphering the logs would be greatly appreciated.
I can post data from other logs too, if it will help - just ask.
Regards, Non.