Re: Large, constant incoming traffic
The best way to see what is going on is to dump the traffic to a file and analyse it. Tcpdump and ethereal are great tools for that purpose. Ethereal will make the job easier and should give you a clue. If you are affraid the server has been compromised you have to use another computer to get reliable information. I don't know your network setup and what you have at disposal. If it is cable/DSL you could connect your server through a hub, hook up the other computer to the hub and do the dump (you may have to use a crossover cable between the modem and the hub). HTH Robert J. Kjetil Kjernsmo said: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all! In turn to you with a bit of desperation now. It feels like I'm under some kind of attack. Maybe I've even been compromised. The last few days, I've experienced an insane and constant amount of incoming traffic. I'm not sure how long it has lasted, but I would think 3-4 days, and it is constant at 260 kB/s. It varies very little from that number, perhaps down to 255 sometimes, and sometimes up to 265, but essentially, it changes very little over time, at least over an interval of a couple of seconds. And I can't for the life of me figure out where it's coming from... This is what netstat says: [EMAIL PROTECTED]:~ netstat -tan Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp0 0 0.0.0.0:32771 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:4 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:32772 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:110 0.0.0.0:* LISTEN tcp0 0 127.0.0.1:783 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp0 0 217.77.32.186:530.0.0.0:* LISTEN tcp0 0 127.0.0.1:530.0.0.0:* LISTEN tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:54320.0.0.0:* LISTEN tcp0 0 0.0.0.0:25 0.0.0.0:* LISTEN tcp0 0 127.0.0.1:953 0.0.0.0:* LISTEN tcp0 0 217.77.32.186:2280.213.253.77:32782 ESTABLISHED tcp0 0 217.77.32.186:2280.213.253.77:33738 ESTABLISHED tcp0272 217.77.32.186:2280.213.253.77:32778 ESTABLISHED 217.77.32.186 is my server, the machine that is in trouble, and 80.213.253.77 is the current IP of my workstation. There are connections now and then, but nothing unnatural, and nothing that can account for that there aren't variations... Most of the listening ports are actually firewalled off from the world: (The 1654 ports scanned but not shown below are in state: filtered) PORTSTATE SERVICE 4/tcp open unknown 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop3 (port 4 is SFS, which is in Debian, nmap should perhaps be told...?) The filtered ports should drop packets. In addition to the occasional netstat, I'm looking closely with ksysguard. There is a ksysguardd running at the remote machine, which is giving me the data. It is all in agreement with what netstat says, and the data rate is in agreement to, I have verified it by going ifconfig twice 100 seconds apart and compare the RX bytes: entry. I did a kernel upgrade yesterday, so I have even rebooted the machine, and since the reboot, it has according to ifconfig received something like 3 GiB of data. In one day... But this makes it likely that there isn't a local fault, I think. Also, there is little outgoing traffic. I have no idea where all those data are going... There is certainly not room for them on the hard drive, unless somebody is in the box and is deleting stuff, and who has du and df trojanned, but then df shows the same as /proc/partitions I can't see anything abnormal, neither on the disks, in the logs, in the connections made to the machine, in the process table or anything... But then, I don't really know too much about looking... :-) Since my workstation is the only machine I can see that has a persistent connection to the server, I've investigated the possibility that something here is causing it. But there is little outgoing traffic here, so it seems extremely unlikely. I think it looks like something is throwing packets at me, and doesn't care what happens to them... However, then I would think the packets were thrown at an open port, because I would think that since IPtables would drop the packets, it would show up in the statistics as dropped, and it isn't. Or, is it possible that the statistics is simply wrong: There are no data being thrown at me? I've briefly talked with my hosting company, and they've got a good Linux guy there, but he was too
Re: Large, constant incoming traffic
On torsdag 13. mai 2004, 19:32, Robert Jakubowski wrote: The best way to see what is going on is to dump the traffic to a file and analyse it. Tcpdump and ethereal are great tools for that purpose. Great! Reagan Blundell also told me about them offline. Ethereal will make the job easier and should give you a clue. If you are affraid the server has been compromised you have to use another computer to get reliable information. I don't know your network setup and what you have at disposal. If it is cable/DSL you could connect your server through a hub, hook up the other computer to the hub and do the dump (you may have to use a crossover cable between the modem and the hub). Yup. It's in server hosting at a provider, and I don't have physical access there... So, I have no option but to do it remotely (or perhaps I could if eth0 was promiscuous, but it isn't?). Anyway, what I see in tcpdump after filtering out my own ssh traffic, and some DNS traffic (which might have something to do with it, but makes a lot of noise), I see (easynet.no is my provider): 19:41:29.459644 217.77.34.162.2090 226.122.204.181.1434: udp 376 [ttl 1] 19:41:29.565792 arp who-has 217.77.32.171 tell core-1-e2.easynet.no 19:41:29.675637 217.77.34.162.2090 234.195.198.113.1434: udp 376 [ttl 1] 19:41:29.786000 217.77.34.162.2090 226.210.233.101.1434: udp 376 [ttl 1] 19:41:30.013227 217.77.34.162.2090 226.115.252.196.1434: udp 376 [ttl 1] 19:41:30.120437 217.77.34.162.2090 234.221.95.51.1434: udp 376 [ttl 1] 19:41:30.449589 217.77.34.162.2090 226.53.242.62.1434: udp 376 [ttl 1] 19:41:30.556784 217.77.34.162.2090 234.225.213.78.1434: udp 376 [ttl 1] 19:41:30.563271 arp who-has 217.77.32.171 tell core-1-e2.easynet.no 19:41:30.683433 arp who-has 217.77.34.95 tell core-1-e3.easynet.no 19:41:30.773817 217.77.34.162.2090 226.95.50.32.1434: udp 376 [ttl 1] 19:41:30.800550 pooh.kjernsmo.net.39441 www.easynet.no.domain: 6695+ PTR? 78.79.65.194.in-addr.arpa. (43) (DF) 19:41:30.884041 217.77.34.162.2090 234.111.203.166.1434: udp 376 [ttl 1] 19:41:31.212205 217.77.34.162.2090 234.209.110.68.1434: udp 376 [ttl 1] 19:41:31.321424 www.easynet.no.domain pooh.kjernsmo.net.39445: 61615 1/2/0 (106) (DF) 19:41:31.429747 217.77.34.162.2090 226.20.247.203.1434: udp 376 [ttl 1] 19:41:31.563113 arp who-has 217.77.32.171 tell core-1-e2.easynet.no 19:41:31.648080 217.77.34.162.2090 234.191.213.120.1434: udp 376 [ttl 1] 19:41:31.683087 arp who-has 217.77.34.95 tell core-1-e3.easynet.no 19:41:31.755080 217.77.34.162.2090 234.234.114.255.1434: udp 376 [ttl 1] 19:41:31.973809 217.77.34.162.2090 226.44.34.125.1434: udp 376 [ttl 1] 19:41:32.083993 217.77.34.162.2090 226.58.55.41.1434: udp 376 [ttl 1] 19:41:32.192344 217.77.34.162.2090 234.247.236.46.1434: udp 376 [ttl 1] M, I don't know what machine 217.77.34.162 is, but I wouldn't be surprised if it sits in the same server room as my box... Does this tell you anything. Thanks a lot for the help! Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Large, constant incoming traffic
/ 2004-05-13 19:53:33 +0200 \ Kjetil Kjernsmo: On torsdag 13. mai 2004, 19:32, Robert Jakubowski wrote: The best way to see what is going on is to dump the traffic to a file and analyse it. Tcpdump and ethereal are great tools for that purpose. Great! Reagan Blundell also told me about them offline. Ethereal will make the job easier and should give you a clue. If you are affraid the server has been compromised you have to use another computer to get reliable information. I don't know your network setup and what you have at disposal. If it is cable/DSL you could connect your server through a hub, hook up the other computer to the hub and do the dump (you may have to use a crossover cable between the modem and the hub). Yup. It's in server hosting at a provider, and I don't have physical access there... So, I have no option but to do it remotely (or perhaps I could if eth0 was promiscuous, but it isn't?). Anyway, what I see in tcpdump after filtering out my own ssh traffic, and some DNS traffic (which might have something to do with it, but makes a lot of noise), I see (easynet.no is my provider): 19:41:29.459644 217.77.34.162.2090 226.122.204.181.1434: udp 376 [ttl 1] 19:41:29.565792 arp who-has 217.77.32.171 tell core-1-e2.easynet.no 19:41:29.675637 217.77.34.162.2090 234.195.198.113.1434: udp 376 [ttl 1] ok, chances are that 217.77.34.162 runs an unpatches MS-SQL server, was infected, and now tries to compromise the world, and its own subnet, where you happen to be in. iirc there has been some worm targetting Microsoft SQL server early 2003, maybe it is still active sometimes, maybe there is a new one. you are safe, but this should show in some DROP or REJECT statistics. have a look at the output of iptables -vnL you want to tell the guy responsible for 217.77.34.162, and the hostmaster at easynet.no, that they have a compromised machine, and should take it offline. and that you want them to pay for the traffic they are causing you. Lars Ellenberg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Large, constant incoming traffic
On Thu, May 13, 2004 at 07:53:33PM +0200, Kjetil Kjernsmo wrote: 19:41:32.083993 217.77.34.162.2090 226.58.55.41.1434: udp 376 [ttl 1] 19:41:32.192344 217.77.34.162.2090 234.247.236.46.1434: udp 376 [ttl 1] M, I don't know what machine 217.77.34.162 is, but I wouldn't be surprised if it sits in the same server room as my box... Does this tell you anything. Look like the SQL/Slammer worm. It targets UDP port 1434 (MS-SQL servers listen there), consists of single packets that are 376 byte in size and causes much traffic. Seems like the machine at 217.77.34.162 is infected, so not much you can do to stop this packet flood. May try to contact the server admin and convince him to reboot and patch the MS-SQL server. Or ask your provider to block incoming packets on this port for your server. Some sites with more information about this worm: http://www.f-secure.com/v-descs/mssqlm.shtml http://vil.nai.com/vil/content/v_2.htm http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html http://www.viruslist.com/eng/viruslist.html?id=59159 HTH, Michel -- Michel Messerschmidt [EMAIL PROTECTED] antiVirusTestCenter, Computer Science, University of Hamburg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Large, constant incoming traffic
On torsdag 13. mai 2004, 20:15, Lars Ellenberg wrote: 19:41:29.675637 217.77.34.162.2090 234.195.198.113.1434: udp 376 [ttl 1] ok, chances are that 217.77.34.162 runs an unpatches MS-SQL server, was infected, and now tries to compromise the world, and its own subnet, where you happen to be in. Oh, I see. But one thing I do not understand, it doesn't seem like this traffic is directed at me, since it's not my address that's the destination...? Are they routing their traffic through me or something? iirc there has been some worm targetting Microsoft SQL server early 2003, maybe it is still active sometimes, maybe there is a new one. OK. I tried nmap -O 217.77.34.162 but got nothing. I have found that they are running IIS on their web server though. And I can't find any hosts in that company's netblock. you are safe, but this should show in some DROP or REJECT statistics. have a look at the output of iptables -vnL OK. Very little there... It is not very detailed, since I'm using -P, is that a Bad Idea? This is what it says: Chain INPUT (policy DROP 157K packets, 10M bytes) That's still nowhere near the total amount of data I've been getting. There's of course a lot more, but nothing that seems relevant. BTW, would I have anything to loose by going iptables -I INPUT -i eth0 -s 217.77.34.162 -j REJECT you want to tell the guy responsible for 217.77.34.162, and the hostmaster at easynet.no, that they have a compromised machine, and should take it offline. Hm, OK, but I need to feel a little more certain about what's going on... Given I find no signs that the machine is actually up, and that I still don't understand the traffic pattern, and that you want them to pay for the traffic they are causing you. Well, it is more the time I've been wasting, I spent almost two full days, in a very critical period... But I do not expect to be charged for the bandwidth, no... Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Large, constant incoming traffic
On torsdag 13. mai 2004, 20:37, Gian Piero Carrubba wrote: Il gio, 2004-05-13 alle 19:53, Kjetil Kjernsmo ha scritto: [...] 19:41:32.083993 217.77.34.162.2090 226.58.55.41.1434: udp 376 [ttl 1] 19:41:32.192344 217.77.34.162.2090 234.247.236.46.1434: udp 376 [ttl 1] A switched lan, I see ;) Hehe, it doesn't mean so much to me right now, but a Google will educate... It can be slammer [1] (if so, I guess why the ISP tech is so busy :) Yeah, it seems consensus about that... As you run snort, the eth is probably in promiscuous mode. I think this is the reason you see ifconfig counter increasing (though the packets aren't leading to your server). This and a non-switched lan, of course. Hm, chkrootkit says that eth0 is not promiscuous... And as I said, I don't think I ever got Snort to work right... :-) Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Large, constant incoming traffic
* Kjetil Kjernsmo: Oh, I see. But one thing I do not understand, it doesn't seem like this traffic is directed at me, since it's not my address that's the destination...? Are they routing their traffic through me or something? It's some odd switch-router whose forwarding table is overflown by Slammer, and it switches to broadcast mode. Or something like that. Have you been able to contact anyone at Easynet? -- Current mail filters: many dial-up/DSL/cable modem hosts, and the following domains: atlas.cz, bigpond.com, di-ve.com, hotmail.com, jumpy.it, libero.it, netscape.net, postino.it, simplesnet.pt, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr, yahoo.com. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Large, constant incoming traffic
On torsdag 13. mai 2004, 22:10, Florian Weimer wrote: * Kjetil Kjernsmo: Oh, I see. But one thing I do not understand, it doesn't seem like this traffic is directed at me, since it's not my address that's the destination...? Are they routing their traffic through me or something? It's some odd switch-router whose forwarding table is overflown by Slammer, and it switches to broadcast mode. Or something like that. Have you been able to contact anyone at Easynet? Yup, I finally had a chat with someone there, but he wasn't the network guy, though. But what he said was that the server had been moved out of their network long ago, and they hadn't really an idea where the box was broadcasting from Not that I understand it, but I was told to call tomorrow morning an talk with the network guy, he had noticed some abnormal activity, but not seen as much as I had. But we should be able to track it down together. But I think we've found out what it was, yes! Thanks a lot folks! Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Let It Be Me
An associate of yours has set you up on a romantic appointment with someone. http://butidoloveyou.com /web/?oc=53031103 The FREE dating web site CREATED BY WOMEN
Large, constant incoming traffic
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all! In turn to you with a bit of desperation now. It feels like I'm under some kind of attack. Maybe I've even been compromised. The last few days, I've experienced an insane and constant amount of incoming traffic. I'm not sure how long it has lasted, but I would think 3-4 days, and it is constant at 260 kB/s. It varies very little from that number, perhaps down to 255 sometimes, and sometimes up to 265, but essentially, it changes very little over time, at least over an interval of a couple of seconds. And I can't for the life of me figure out where it's coming from... This is what netstat says: [EMAIL PROTECTED]:~ netstat -tan Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp0 0 0.0.0.0:32771 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:4 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:32772 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:110 0.0.0.0:* LISTEN tcp0 0 127.0.0.1:783 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp0 0 217.77.32.186:530.0.0.0:* LISTEN tcp0 0 127.0.0.1:530.0.0.0:* LISTEN tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:54320.0.0.0:* LISTEN tcp0 0 0.0.0.0:25 0.0.0.0:* LISTEN tcp0 0 127.0.0.1:953 0.0.0.0:* LISTEN tcp0 0 217.77.32.186:2280.213.253.77:32782 ESTABLISHED tcp0 0 217.77.32.186:2280.213.253.77:33738 ESTABLISHED tcp0272 217.77.32.186:2280.213.253.77:32778 ESTABLISHED 217.77.32.186 is my server, the machine that is in trouble, and 80.213.253.77 is the current IP of my workstation. There are connections now and then, but nothing unnatural, and nothing that can account for that there aren't variations... Most of the listening ports are actually firewalled off from the world: (The 1654 ports scanned but not shown below are in state: filtered) PORTSTATE SERVICE 4/tcp open unknown 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop3 (port 4 is SFS, which is in Debian, nmap should perhaps be told...?) The filtered ports should drop packets. In addition to the occasional netstat, I'm looking closely with ksysguard. There is a ksysguardd running at the remote machine, which is giving me the data. It is all in agreement with what netstat says, and the data rate is in agreement to, I have verified it by going ifconfig twice 100 seconds apart and compare the RX bytes: entry. I did a kernel upgrade yesterday, so I have even rebooted the machine, and since the reboot, it has according to ifconfig received something like 3 GiB of data. In one day... But this makes it likely that there isn't a local fault, I think. Also, there is little outgoing traffic. I have no idea where all those data are going... There is certainly not room for them on the hard drive, unless somebody is in the box and is deleting stuff, and who has du and df trojanned, but then df shows the same as /proc/partitions I can't see anything abnormal, neither on the disks, in the logs, in the connections made to the machine, in the process table or anything... But then, I don't really know too much about looking... :-) Since my workstation is the only machine I can see that has a persistent connection to the server, I've investigated the possibility that something here is causing it. But there is little outgoing traffic here, so it seems extremely unlikely. I think it looks like something is throwing packets at me, and doesn't care what happens to them... However, then I would think the packets were thrown at an open port, because I would think that since IPtables would drop the packets, it would show up in the statistics as dropped, and it isn't. Or, is it possible that the statistics is simply wrong: There are no data being thrown at me? I've briefly talked with my hosting company, and they've got a good Linux guy there, but he was too busy to help me now. If I haven't allready, I'm afraid I'll hit my 10 GB/month quota very soon now. I really don't want that to happen, especially if it isn't my fault that this is happening. I run AIDE, and I run chkrootkit occasionally. I've gone through the auto-setup of a backport of Snort, but it has never actually told me anything, so I suppose it isn't really configured. I'm trying a Nessus attack against the poor box now, but it is very slow... Thanks for reading this far, and, well, your ideas on what I can do would be much appreciated. Best, Kjetil - -- Kjetil Kjernsmo Astrophysicist/IT
Re: Large, constant incoming traffic
The best way to see what is going on is to dump the traffic to a file and analyse it. Tcpdump and ethereal are great tools for that purpose. Ethereal will make the job easier and should give you a clue. If you are affraid the server has been compromised you have to use another computer to get reliable information. I don't know your network setup and what you have at disposal. If it is cable/DSL you could connect your server through a hub, hook up the other computer to the hub and do the dump (you may have to use a crossover cable between the modem and the hub). HTH Robert J. Kjetil Kjernsmo said: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all! In turn to you with a bit of desperation now. It feels like I'm under some kind of attack. Maybe I've even been compromised. The last few days, I've experienced an insane and constant amount of incoming traffic. I'm not sure how long it has lasted, but I would think 3-4 days, and it is constant at 260 kB/s. It varies very little from that number, perhaps down to 255 sometimes, and sometimes up to 265, but essentially, it changes very little over time, at least over an interval of a couple of seconds. And I can't for the life of me figure out where it's coming from... This is what netstat says: [EMAIL PROTECTED]:~ netstat -tan Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp0 0 0.0.0.0:32771 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:4 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:32772 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:110 0.0.0.0:* LISTEN tcp0 0 127.0.0.1:783 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp0 0 217.77.32.186:530.0.0.0:* LISTEN tcp0 0 127.0.0.1:530.0.0.0:* LISTEN tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:54320.0.0.0:* LISTEN tcp0 0 0.0.0.0:25 0.0.0.0:* LISTEN tcp0 0 127.0.0.1:953 0.0.0.0:* LISTEN tcp0 0 217.77.32.186:2280.213.253.77:32782 ESTABLISHED tcp0 0 217.77.32.186:2280.213.253.77:33738 ESTABLISHED tcp0272 217.77.32.186:2280.213.253.77:32778 ESTABLISHED 217.77.32.186 is my server, the machine that is in trouble, and 80.213.253.77 is the current IP of my workstation. There are connections now and then, but nothing unnatural, and nothing that can account for that there aren't variations... Most of the listening ports are actually firewalled off from the world: (The 1654 ports scanned but not shown below are in state: filtered) PORTSTATE SERVICE 4/tcp open unknown 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop3 (port 4 is SFS, which is in Debian, nmap should perhaps be told...?) The filtered ports should drop packets. In addition to the occasional netstat, I'm looking closely with ksysguard. There is a ksysguardd running at the remote machine, which is giving me the data. It is all in agreement with what netstat says, and the data rate is in agreement to, I have verified it by going ifconfig twice 100 seconds apart and compare the RX bytes: entry. I did a kernel upgrade yesterday, so I have even rebooted the machine, and since the reboot, it has according to ifconfig received something like 3 GiB of data. In one day... But this makes it likely that there isn't a local fault, I think. Also, there is little outgoing traffic. I have no idea where all those data are going... There is certainly not room for them on the hard drive, unless somebody is in the box and is deleting stuff, and who has du and df trojanned, but then df shows the same as /proc/partitions I can't see anything abnormal, neither on the disks, in the logs, in the connections made to the machine, in the process table or anything... But then, I don't really know too much about looking... :-) Since my workstation is the only machine I can see that has a persistent connection to the server, I've investigated the possibility that something here is causing it. But there is little outgoing traffic here, so it seems extremely unlikely. I think it looks like something is throwing packets at me, and doesn't care what happens to them... However, then I would think the packets were thrown at an open port, because I would think that since IPtables would drop the packets, it would show up in the statistics as dropped, and it isn't. Or, is it possible that the statistics is simply wrong: There are no data being thrown at me? I've briefly talked with my hosting company, and they've got a good Linux guy there, but he was too
Re: Large, constant incoming traffic
Kjetil Kjernsmo wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all! In turn to you with a bit of desperation now. It feels like I'm under some kind of attack. Maybe I've even been compromised. The last few days, I've experienced an insane and constant amount of incoming traffic. I'm not sure how long it has lasted, but I would think 3-4 days, and it is constant at 260 kB/s. It varies very little from that number, perhaps down to 255 sometimes, and sometimes up to 265, but essentially, it changes very little over time, at least over an interval of a couple of seconds. And I can't for the life of me figure out where it's coming from... This is what netstat says: [EMAIL PROTECTED]:~ netstat -tan Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp0 0 0.0.0.0:32771 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:4 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:32772 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:110 0.0.0.0:* LISTEN tcp0 0 127.0.0.1:783 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp0 0 217.77.32.186:530.0.0.0:* LISTEN tcp0 0 127.0.0.1:530.0.0.0:* LISTEN tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:54320.0.0.0:* LISTEN tcp0 0 0.0.0.0:25 0.0.0.0:* LISTEN tcp0 0 127.0.0.1:953 0.0.0.0:* LISTEN tcp0 0 217.77.32.186:2280.213.253.77:32782 ESTABLISHED tcp0 0 217.77.32.186:2280.213.253.77:33738 ESTABLISHED tcp0272 217.77.32.186:2280.213.253.77:32778 ESTABLISHED 217.77.32.186 is my server, the machine that is in trouble, and 80.213.253.77 is the current IP of my workstation. There are connections now and then, but nothing unnatural, and nothing that can account for that there aren't variations... Most of the listening ports are actually firewalled off from the world: (The 1654 ports scanned but not shown below are in state: filtered) PORTSTATE SERVICE 4/tcp open unknown 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop3 hi kjetil! please start up tcpdump and/or ethereal and check what kind of packages there are going ... and the best would be, to do so on a probe in the network. if u need help about this, ask! regards, mike -- _ TGM / it-service (o-A-1200 Wien, Wexstr. 19-23 //\tel. +43-1-33126-316fax. +43-1-33126-154 v_/email: [EMAIL PROTECTED]trap: [EMAIL PROTECTED]
Re: Large, constant incoming traffic
On torsdag 13. mai 2004, 19:32, Robert Jakubowski wrote: The best way to see what is going on is to dump the traffic to a file and analyse it. Tcpdump and ethereal are great tools for that purpose. Great! Reagan Blundell also told me about them offline. Ethereal will make the job easier and should give you a clue. If you are affraid the server has been compromised you have to use another computer to get reliable information. I don't know your network setup and what you have at disposal. If it is cable/DSL you could connect your server through a hub, hook up the other computer to the hub and do the dump (you may have to use a crossover cable between the modem and the hub). Yup. It's in server hosting at a provider, and I don't have physical access there... So, I have no option but to do it remotely (or perhaps I could if eth0 was promiscuous, but it isn't?). Anyway, what I see in tcpdump after filtering out my own ssh traffic, and some DNS traffic (which might have something to do with it, but makes a lot of noise), I see (easynet.no is my provider): 19:41:29.459644 217.77.34.162.2090 226.122.204.181.1434: udp 376 [ttl 1] 19:41:29.565792 arp who-has 217.77.32.171 tell core-1-e2.easynet.no 19:41:29.675637 217.77.34.162.2090 234.195.198.113.1434: udp 376 [ttl 1] 19:41:29.786000 217.77.34.162.2090 226.210.233.101.1434: udp 376 [ttl 1] 19:41:30.013227 217.77.34.162.2090 226.115.252.196.1434: udp 376 [ttl 1] 19:41:30.120437 217.77.34.162.2090 234.221.95.51.1434: udp 376 [ttl 1] 19:41:30.449589 217.77.34.162.2090 226.53.242.62.1434: udp 376 [ttl 1] 19:41:30.556784 217.77.34.162.2090 234.225.213.78.1434: udp 376 [ttl 1] 19:41:30.563271 arp who-has 217.77.32.171 tell core-1-e2.easynet.no 19:41:30.683433 arp who-has 217.77.34.95 tell core-1-e3.easynet.no 19:41:30.773817 217.77.34.162.2090 226.95.50.32.1434: udp 376 [ttl 1] 19:41:30.800550 pooh.kjernsmo.net.39441 www.easynet.no.domain: 6695+ PTR? 78.79.65.194.in-addr.arpa. (43) (DF) 19:41:30.884041 217.77.34.162.2090 234.111.203.166.1434: udp 376 [ttl 1] 19:41:31.212205 217.77.34.162.2090 234.209.110.68.1434: udp 376 [ttl 1] 19:41:31.321424 www.easynet.no.domain pooh.kjernsmo.net.39445: 61615 1/2/0 (106) (DF) 19:41:31.429747 217.77.34.162.2090 226.20.247.203.1434: udp 376 [ttl 1] 19:41:31.563113 arp who-has 217.77.32.171 tell core-1-e2.easynet.no 19:41:31.648080 217.77.34.162.2090 234.191.213.120.1434: udp 376 [ttl 1] 19:41:31.683087 arp who-has 217.77.34.95 tell core-1-e3.easynet.no 19:41:31.755080 217.77.34.162.2090 234.234.114.255.1434: udp 376 [ttl 1] 19:41:31.973809 217.77.34.162.2090 226.44.34.125.1434: udp 376 [ttl 1] 19:41:32.083993 217.77.34.162.2090 226.58.55.41.1434: udp 376 [ttl 1] 19:41:32.192344 217.77.34.162.2090 234.247.236.46.1434: udp 376 [ttl 1] M, I don't know what machine 217.77.34.162 is, but I wouldn't be surprised if it sits in the same server room as my box... Does this tell you anything. Thanks a lot for the help! Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Large, constant incoming traffic
/ 2004-05-13 19:53:33 +0200 \ Kjetil Kjernsmo: On torsdag 13. mai 2004, 19:32, Robert Jakubowski wrote: The best way to see what is going on is to dump the traffic to a file and analyse it. Tcpdump and ethereal are great tools for that purpose. Great! Reagan Blundell also told me about them offline. Ethereal will make the job easier and should give you a clue. If you are affraid the server has been compromised you have to use another computer to get reliable information. I don't know your network setup and what you have at disposal. If it is cable/DSL you could connect your server through a hub, hook up the other computer to the hub and do the dump (you may have to use a crossover cable between the modem and the hub). Yup. It's in server hosting at a provider, and I don't have physical access there... So, I have no option but to do it remotely (or perhaps I could if eth0 was promiscuous, but it isn't?). Anyway, what I see in tcpdump after filtering out my own ssh traffic, and some DNS traffic (which might have something to do with it, but makes a lot of noise), I see (easynet.no is my provider): 19:41:29.459644 217.77.34.162.2090 226.122.204.181.1434: udp 376 [ttl 1] 19:41:29.565792 arp who-has 217.77.32.171 tell core-1-e2.easynet.no 19:41:29.675637 217.77.34.162.2090 234.195.198.113.1434: udp 376 [ttl 1] ok, chances are that 217.77.34.162 runs an unpatches MS-SQL server, was infected, and now tries to compromise the world, and its own subnet, where you happen to be in. iirc there has been some worm targetting Microsoft SQL server early 2003, maybe it is still active sometimes, maybe there is a new one. you are safe, but this should show in some DROP or REJECT statistics. have a look at the output of iptables -vnL you want to tell the guy responsible for 217.77.34.162, and the hostmaster at easynet.no, that they have a compromised machine, and should take it offline. and that you want them to pay for the traffic they are causing you. Lars Ellenberg
Re: Large, constant incoming traffic
On Thu, May 13, 2004 at 07:53:33PM +0200, Kjetil Kjernsmo wrote: 19:41:32.083993 217.77.34.162.2090 226.58.55.41.1434: udp 376 [ttl 1] 19:41:32.192344 217.77.34.162.2090 234.247.236.46.1434: udp 376 [ttl 1] M, I don't know what machine 217.77.34.162 is, but I wouldn't be surprised if it sits in the same server room as my box... Does this tell you anything. Look like the SQL/Slammer worm. It targets UDP port 1434 (MS-SQL servers listen there), consists of single packets that are 376 byte in size and causes much traffic. Seems like the machine at 217.77.34.162 is infected, so not much you can do to stop this packet flood. May try to contact the server admin and convince him to reboot and patch the MS-SQL server. Or ask your provider to block incoming packets on this port for your server. Some sites with more information about this worm: http://www.f-secure.com/v-descs/mssqlm.shtml http://vil.nai.com/vil/content/v_2.htm http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html http://www.viruslist.com/eng/viruslist.html?id=59159 HTH, Michel -- Michel Messerschmidt [EMAIL PROTECTED] antiVirusTestCenter, Computer Science, University of Hamburg
Re: Large, constant incoming traffic
On torsdag 13. mai 2004, 20:15, Lars Ellenberg wrote: 19:41:29.675637 217.77.34.162.2090 234.195.198.113.1434: udp 376 [ttl 1] ok, chances are that 217.77.34.162 runs an unpatches MS-SQL server, was infected, and now tries to compromise the world, and its own subnet, where you happen to be in. Oh, I see. But one thing I do not understand, it doesn't seem like this traffic is directed at me, since it's not my address that's the destination...? Are they routing their traffic through me or something? iirc there has been some worm targetting Microsoft SQL server early 2003, maybe it is still active sometimes, maybe there is a new one. OK. I tried nmap -O 217.77.34.162 but got nothing. I have found that they are running IIS on their web server though. And I can't find any hosts in that company's netblock. you are safe, but this should show in some DROP or REJECT statistics. have a look at the output of iptables -vnL OK. Very little there... It is not very detailed, since I'm using -P, is that a Bad Idea? This is what it says: Chain INPUT (policy DROP 157K packets, 10M bytes) That's still nowhere near the total amount of data I've been getting. There's of course a lot more, but nothing that seems relevant. BTW, would I have anything to loose by going iptables -I INPUT -i eth0 -s 217.77.34.162 -j REJECT you want to tell the guy responsible for 217.77.34.162, and the hostmaster at easynet.no, that they have a compromised machine, and should take it offline. Hm, OK, but I need to feel a little more certain about what's going on... Given I find no signs that the machine is actually up, and that I still don't understand the traffic pattern, and that you want them to pay for the traffic they are causing you. Well, it is more the time I've been wasting, I spent almost two full days, in a very critical period... But I do not expect to be charged for the bandwidth, no... Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Large, constant incoming traffic
Il gio, 2004-05-13 alle 19:53, Kjetil Kjernsmo ha scritto: [...] 19:41:32.083993 217.77.34.162.2090 226.58.55.41.1434: udp 376 [ttl 1] 19:41:32.192344 217.77.34.162.2090 234.247.236.46.1434: udp 376 [ttl 1] A switched lan, I see ;) It can be slammer [1] (if so, I guess why the ISP tech is so busy :) As you run snort, the eth is probably in promiscuous mode. I think this is the reason you see ifconfig counter increasing (though the packets aren't leading to your server). This and a non-switched lan, of course. Ciao, Gian Piero. [1] http://enterprisesecurity.symantec.com/content.cfm?articleid=3261EID=0
Re: Large, constant incoming traffic
On torsdag 13. mai 2004, 20:37, Gian Piero Carrubba wrote: Il gio, 2004-05-13 alle 19:53, Kjetil Kjernsmo ha scritto: [...] 19:41:32.083993 217.77.34.162.2090 226.58.55.41.1434: udp 376 [ttl 1] 19:41:32.192344 217.77.34.162.2090 234.247.236.46.1434: udp 376 [ttl 1] A switched lan, I see ;) Hehe, it doesn't mean so much to me right now, but a Google will educate... It can be slammer [1] (if so, I guess why the ISP tech is so busy :) Yeah, it seems consensus about that... As you run snort, the eth is probably in promiscuous mode. I think this is the reason you see ifconfig counter increasing (though the packets aren't leading to your server). This and a non-switched lan, of course. Hm, chkrootkit says that eth0 is not promiscuous... And as I said, I don't think I ever got Snort to work right... :-) Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Large, constant incoming traffic
* Kjetil Kjernsmo: Oh, I see. But one thing I do not understand, it doesn't seem like this traffic is directed at me, since it's not my address that's the destination...? Are they routing their traffic through me or something? It's some odd switch-router whose forwarding table is overflown by Slammer, and it switches to broadcast mode. Or something like that. Have you been able to contact anyone at Easynet? -- Current mail filters: many dial-up/DSL/cable modem hosts, and the following domains: atlas.cz, bigpond.com, di-ve.com, hotmail.com, jumpy.it, libero.it, netscape.net, postino.it, simplesnet.pt, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr, yahoo.com.
Re: Large, constant incoming traffic
On torsdag 13. mai 2004, 22:10, Florian Weimer wrote: * Kjetil Kjernsmo: Oh, I see. But one thing I do not understand, it doesn't seem like this traffic is directed at me, since it's not my address that's the destination...? Are they routing their traffic through me or something? It's some odd switch-router whose forwarding table is overflown by Slammer, and it switches to broadcast mode. Or something like that. Have you been able to contact anyone at Easynet? Yup, I finally had a chat with someone there, but he wasn't the network guy, though. But what he said was that the server had been moved out of their network long ago, and they hadn't really an idea where the box was broadcasting from Not that I understand it, but I was told to call tomorrow morning an talk with the network guy, he had noticed some abnormal activity, but not seen as much as I had. But we should be able to track it down together. But I think we've found out what it was, yes! Thanks a lot folks! Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Let It Be Me
An associate of yours has set you up on a romantic appointment with someone. http://butidoloveyou.com /web/?oc=53031103 The FREE dating web site CREATED BY WOMEN