Craig, I do not think it is CA software because I have not seen it on my network and I use CA software. When I do a lookup on the IP 213.254.229.147 I get the following information: OrgName: RIPE Network Coordination Centre OrgID: RIPE Address: P.O. Box 10096 City: Amsterdam StateProv: PostalCode: 1001EB Country: NL This also supports my idea that it is not CA since the IP is in Amsterdam. When I try to connect a HTTPS connection to the same IP I got a message with a SSL certificate from a248.e.akamai.net. The look up for akamai.net show: Akamai Technologies, Inc. 8 Cambridge Center Cambridge, MA 02142 US When I connected a to akamai.net I get a coming soon page. So I tried to connect to akamai.net through a HTTPS connection. This time I get s certificate from plesk of SWsoft, Inc. in Virginia. I am not sure what all this means, but it just feels funny to me. Maybe some else could shed some more light. David -----Original Message----- From: plug-discuss-bounces@lists.plug.phoenix.az.us [mailto:plug-discuss-bounces@lists.plug.phoenix.az.us]On Behalf Of Craig White Sent: Thursday, September 22, 2005 8:34 PM To: plug-discuss@lists.plug.phoenix.az.us Subject: speaking about Linux firewalls A network where I have one. Just set up a new Win2K3 server (don't lecture, I have as much religion as the next guy). It's been up for 3 weeks or so and before we went live, it punked out (seems to be a memory problem - ahem - Dell)... Anyway, I happened to run netstat on the sucker and what do I see but a connection that makes no sense at all since it is not exposed to the internet in any fashion. TCP MY_HOSTNAME:3289 213.254.229.147:http ESTABLISHED I can ping that ip address and it's really bothering me. I am going to block it at the firewall but I can't get a handle on it. fingerprinting... # nmap -O 213.254.229.147 Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2005-09-22 19:53 MST Interesting ports on 213.254.229.147: (The 1655 ports scanned but not shown below are in state: closed) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https 500/tcp open isakmp Device type: general purpose Running: Linux 2.4.X OS details: Linux 2.4.20 (Itanium) Uptime 24.386 days (since Mon Aug 29 10:37:26 2005) Nmap run completed -- 1 IP address (1 host up) scanned in 16.391 seconds Anybody have any ideas what is going on? Obviously I put new rules into Linux firewall and rebooted both systems but blocking that one ip address isn't likely to stop whatever it was that was connected - it may be something like Computer Associates BrightStor/ArcServe doing a phone home thing but it really bothered me. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss