Rafael, Do you have the 'chkrootkit' command? If you don't have that utility you can get ir here: www.chkrootkit.org
I'm not saying that you have a problem, but it seems suspcious. Shane "J. Rafael S�nchez" wrote: > Hi Guys, > Since we're in the topic of firewalls... just some comments. > > One thing my fw is reporting about is that my internal net is > requesting/being hit by the ads.web.aol.com website, three times more > htan any other site. > > The other thing I'm seeing when I check based on bandwidth usage by > host, one of my linux boxes running rh 7.3 (cd roaster) is using by far > about 4 times any other box. I've checked netstat, lsof, ps, top, nmap > [889/tcp open unknown]. I can't seem to be able to tell what could > hogging the pipes. This box is on the network and shouldn't be running > any other unneeded services. > > When I do a bandwidth by service at my firewall I get this: > "TCP Port 2937". It appears to be using 50% more than anything else. And > then "TCP Port 4366" is the next one in bandwidth consumption. > > Open for other comments. > > Rafael. > > On Fri, 2004-03-19 at 11:55, Curtis Sloan wrote: > > So, it may or may not be Blaster/Welchia related activity, but rather any old > > virus/worm trying to DDoS a selected target (that DNS maintainers have seen > > fit to resolve to 127.0.0.1). Hey, maybe it's trying to DDoS SCO! Ooh, > > ethical quandry... ;-) j/k > > > > Curtis > > > > On Fri March 19 2004 09:37, Michael Petch wrote: > > > Interesting. Some ISP's running DNS services might mark some domain > > > names with an IP address of 127.0.0.1 to mitigate a Denial of service > > > attack against the domains in question (Of course 127.0.0.1 addresses > > > will be resolved back to the local computer). > > > > > > I find it a bit odd that the destinations are internal network addresses > > > (I assume internal machine IP address is a non-routable IP address on > > > the internet?) > > > > > > I know when the blaster worm was circulating Sprint set some of their > > > DNS servers to point windowsupdate.com at 127.0.0.1 . > > > > > > Just some ideas. > > > > > > On Thu, 2004-03-18 at 21:57, Shane&Lisa wrote: > > > > Hi all, is any body else getting firewall logs yelling: > > > > > > > > 127.0.0.1 on port 80 (external) to <internal machine address> port < > > > > unprivileged port # > (internal) > > > > > > > > over and over again? > > > > > > > > I'm just getting pounded with these... > > > > > > > > Ideas? > > > > > > > > Shane > > > > > > > > > > > > _______________________________________________ > > > > clug-talk mailing list > > > > [EMAIL PROTECTED] > > > > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > > > > _______________________________________________ > > clug-talk mailing list > > [EMAIL PROTECTED] > > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > -- > > J. Rafael Sánchez > Systems Administrator > > Itres Research Limited > (p) 403.250.9944 > (f) 403.250.9916 > > _______________________________________________ > clug-talk mailing list > [EMAIL PROTECTED] > http://clug.ca/mailman/listinfo/clug-talk_clug.ca _______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca
