Anon E. Muss wrote:

> I recently noticed excessive acitivity on my router's activity LED and
> did a little investigating. As immediate action, I used a big hammer
> and firewalled off 218/8 until I can figure out what is going on here.
> Yesterday, it was 201/8.
>
> Below is most of output of netstat. Can someone let me know what is
> going on here? SynFlood?? Also, any suggestions??
>
> ===== BEGIN =====
> Active Internet connections (w/o servers)
> Proto Recv-Q Send-Q Local Address Foreign Address State
> tcp 0 0 x-xx-x-xx-xx.xxxxxxxx:37775 218.25.160.246:ssh
> TIME_WAIT
> tcp 0 0 x-xx-x-xx-xx.lsa:safetynetp 218.25.17.78:ssh
> TIME_WAIT


Pardon, I had also misread the output in my earlier reply. The same
suggestions apply, but you definitely want to look into the system, see
if it's compromised, etc. and take the appropriate actions. You can
also block outgoing on ports 22, 21, etc. (ssh, ftp, etc.,
respectively), and only allow outgoing to trusted destinations. This
will immediately help the situation while you look into the issue
further. Good thing you caught the outgoing attacks.

--
Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers
and Custom Hosting. 24/7 support, 30 day guarantee, secure servers.
Industry's most experienced staff! -- Web Hosting With Muscle!