From the looks of things, your computer (neural1.fe.up.pt) is being
pinged by the remote computer (bozzman.comesurfthe.net). The output
you quoted in your e-mail is your computer's response to the ping.
A 'ping' consists of two types of ICMP packets; an "echo-request",
and an "echo-reply".
Take a look at the network traffic for "echo-requests" from the
hosts
that your machine is sending the "echo-reply" to; you should see
them.
i may be incorrect with this next statement (corrections anyone?),
if
you do not see any "echo-requests" that correspond to the
"echo-replys"
you are seeing, then it may be possible that someone has compromised
your machines. This is probably not the case, though i can't say
for
certain. The bottom line is that if you see the "echo-requests",
then
mystery solved. Otherwise, you may wish to post again with more
details.
Hope this helps. Can anyone else provide more info?
----------------------------------------------
John Vivian
Exxecom
Network Security Analyst
----------------------------------------------
-----Original Message-----
From: Nuno Faria [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 26, 2000 2:42 PM
To: [EMAIL PROTECTED]
Subject: icmp: echo reply? Am I being attacked?
Dear list members,
First of all let me state where I stand.
I've been using Linux (Debian) for one year now. During this year I've
learnt quite a lot but on the issue of network and security I'm a
complete newby.
Now I think I have a security problem (although it is not exclusively
mine). The problem is as follows:
I am the administrator of three PCs in a local network. They all have
real IP adresses.
Sometimes, withou any aparent reason, some of the computers in this
network start producing network trafic without any aparent reason. I do
netstat and there is no indication of a network conection. I do "tcpdump
host machinename" and I get a series of:
17:32:27.620336 neural1.fe.up.pt > bozzman.comesurfthe.net: icmp: echo
reply
not necessarily with the same machine adress (bozzman.comesurfthe.net).
The increase in the network trafic can be as high as 50kB/s.
This is not a Debian or Linux specific problem as it also hapens on
another machin running Digital Unix, but on the other hand, if I change
one of the PCs from Linux to Win NT4 the problem stops. It reapears when
I change it back to Linux.
Can you help me? Can you point me to some document I might read to find
information related to this subject?
Thanks in advance,
Nuno Faria
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
