SJS wrote:
begin quoting Ralph Shumaker as of Wed, Jan 23, 2008 at 11:52:39AM -0800:
I just turned on my monitor and saw that there have been multiple
repeating short bursts of internet activity. The only thing I know of
that is even running is pidgin, but there's no activity there.
I did a tcpdump to screen and did not recognize much besides my own
address. Then I started doing a dump to file. But not knowing what was
happening, I then did ifdown eth0.
I assume you have sshd running?
Yes (just now checked), why?
(I just now did ifup eth0, and the activity seems to have passed for the
moment.)
Neither dump is all that long (a few seconds each). Here is both of them:
(turns out to have been 90K, even tho it is only about 60 seconds of
activity)
Here's a link:
http://pastebin.com/m49220df1
Check your logs.
I bet they're full of brute-force attempts at logging in to your system.
A useful thing to do when something strange is happening is
ls -lt /var/log/* | head
Altho it's no longer happening, here's that:
# ls -lt /var/log/* | head
-rw------- 1 root root 63937 2008-01-23 13:50 /var/log/messages
-rw-rw-r-- 1 root utmp 113280 2008-01-23 13:50 /var/log/wtmp
-rw------- 1 root root 64113 2008-01-23 13:47 /var/log/secure
-rw------- 1 root root 8382 2008-01-23 13:01 /var/log/cron
-rw------- 1 root root 202 2008-01-23 09:47 /var/log/boot.log
-rw------- 1 root utmp 14399616 2008-01-23 09:29 /var/log/btmp
-rw------- 1 root root 7183 2008-01-23 04:18 /var/log/maillog
-rw-r--r-- 1 root root 35571 2008-01-23 04:18 /var/log/rpmpkgs
-rw-r--r-- 1 root root 43127 2008-01-20 11:35 /var/log/Xorg.0.log
-rw------- 1 root root 0 2008-01-20 04:17 /var/log/spooler
Then use 'tail' on the top few log files (you may need to be wheel or
root). You may want to run 'tail -f' on one or two logs to watch what's
going on, especially if you're getting bemused by tcpdump output.
btmp seems to be primarily binary, but I did see a few human readable
chunks in there. boot.log doesn't seem too interesting, nor does cron.
Whoa! secure seems to show something. I did "cat /var/log/secure |
grep -v myUserName" and posted the output here:
http://pastebin.com/m769a5200
By the looks of it, I turned on my monitor just a few minutes after the
guy began his attack. "# ifdown eth0" ended his attack. And I didn't
issue "# ifup eth0" until several minutes later. So far, I haven't seen
the activity resume. But I think I'll be doing a tail -f
/var/log/secure on a regular basis, as well as ls -ltr /var/log.
I think I've seen applications that will monitor several log files at
the same time, and there are also packages that will dump log
information to an (otherwise unused) virtual console.
I guess now that I have a high speed, always on connection (dsl), I may
have to start learning more about intrusion countermeasures. I've been
meaning to figure out how to do your trick about making certain places
like /usr (or whatever they were) read only, among other things.
--
Ralph
--------------------
I hope I never meet a man so narrow minded as to spell a word in only one way.
--Thomas Jefferson
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
