Re: Large, constant incoming traffic

2004-05-18 Thread Kjetil Kjernsmo 
On tirsdag 18. mai 2004, 14:17, Javier Fernández-Sanguino Peña wrote:
> On Thu, May 13, 2004 at 09:02:45PM +0200, Kjetil Kjernsmo wrote:
> > Hm, chkrootkit says that eth0 is not promiscuous... And as I said,
> > I don't think I ever got Snort to work right... :-)
>
> Are you sure that's not a bug in chkrootkit (false negative)? 

No idea! :-) 

> It seems that chkrookit (since 0.42b-1) fixed this, from the
> changelog: * ifpromisc now parses /proc/net/packet so that it can
> provide better diagnostics. (forwarded patch upstream) (closes:
> #214990)
>
> But you would not see that if you are running stable (no backports)
> and linux 2.4

I'm using a backport of chkrootkit, specifically Norbert's, it says:
chkrootkit version 0.43

But for all I know "better diagnostics" doesn't really imply that it 
can't be a false negative... 

BTW, the traffic has just seized, so my ISP has apparently been able to 
pin it down. I have sent them a message asking what happened, but 
haven't got a response.

I really feel like sending the people responsible for this machine an 
invoice for two days of consultancy, that's the real cost for me. 
People need to realize that damage inflicted on others is also a part 
of Windows TCO... At least to see what happens. 

Cheers,

Kjetil
-- 
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
[EMAIL PROTECTED]  [EMAIL PROTECTED]  [EMAIL PROTECTED]
Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC

Re: Large, constant incoming traffic

2004-05-18 Thread Javier Fernández-Sanguino Peña 
On Thu, May 13, 2004 at 05:52:36PM +0200, Kjetil Kjernsmo wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Hi all!
> 
> In turn to you with a bit of desperation now. It feels like I'm under 
(...)

> And I can't for the life of me figure out where it's coming from... 
(...)

I know the issue is solved now, but, besides tcpdump and ethereal 
(mentioned already) you might want to use iptraf or ntop in order to obtain 
good statistics of the network (by IP address, by port...) and detect the 
culprit sooner.

Just my 2c.

Javier


signature.asc
Description: Digital signature

Re: Large, constant incoming traffic

2004-05-18 Thread Javier Fernández-Sanguino Peña 
On Thu, May 13, 2004 at 09:02:45PM +0200, Kjetil Kjernsmo wrote:
> 
> Hm, chkrootkit says that eth0 is not promiscuous... And as I said, I 
> don't think I ever got Snort to work right... :-) 

Are you sure that's not a bug in chkrootkit (false negative)? I introduced 
a change in the Tiger [1] due to chkrootkit's ifpromisc check not handling 
properly the situation in linux 2.4 and up. From the CVS:

"This only concerns Linux and kernel version 2.4 and up.
The ancient "problem" with promiscuous mode detection lies in the fact the
SIOCGIFFLAGS ioctl sets a flag called IFF_PROMISC. This flag is read by
ifconfig and for instance Chkrootkit's ifpromisc. However, libpcap/libnet
applications use setsockopt's MR_PACKET_PROMISC which is a counter. This
counter cannot be read by ifconfig nor ifpromisc. The only viable
alternative is to rely on the /sbin/ip binary from Alexey Kutzenov's
"iproute2" package."

It seems that chkrookit (since 0.42b-1) fixed this, from the changelog:
 * ifpromisc now parses /proc/net/packet so that it can provide better
diagnostics. (forwarded patch upstream) (closes: #214990)

But you would not see that if you are running stable (no backports) and 
linux 2.4

Just FYI

Regards

Javier

[1] 
http://savannah.nongnu.org/cgi-bin/viewcvs/tiger/tiger/scripts/check_known


signature.asc
Description: Digital signature

Re: Large, constant incoming traffic

2004-05-18 Thread Kjetil Kjernsmo 
On tirsdag 18. mai 2004, 14:17, Javier Fernández-Sanguino Peña wrote:
> On Thu, May 13, 2004 at 09:02:45PM +0200, Kjetil Kjernsmo wrote:
> > Hm, chkrootkit says that eth0 is not promiscuous... And as I said,
> > I don't think I ever got Snort to work right... :-)
>
> Are you sure that's not a bug in chkrootkit (false negative)? 

No idea! :-) 

> It seems that chkrookit (since 0.42b-1) fixed this, from the
> changelog: * ifpromisc now parses /proc/net/packet so that it can
> provide better diagnostics. (forwarded patch upstream) (closes:
> #214990)
>
> But you would not see that if you are running stable (no backports)
> and linux 2.4

I'm using a backport of chkrootkit, specifically Norbert's, it says:
chkrootkit version 0.43

But for all I know "better diagnostics" doesn't really imply that it 
can't be a false negative... 

BTW, the traffic has just seized, so my ISP has apparently been able to 
pin it down. I have sent them a message asking what happened, but 
haven't got a response.

I really feel like sending the people responsible for this machine an 
invoice for two days of consultancy, that's the real cost for me. 
People need to realize that damage inflicted on others is also a part 
of Windows TCO... At least to see what happens. 

Cheers,

Kjetil
-- 
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
[EMAIL PROTECTED]  [EMAIL PROTECTED]  [EMAIL PROTECTED]
Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC

Re: Large, constant incoming traffic

2004-05-18 Thread Javier Fernández-Sanguino Peña 
On Thu, May 13, 2004 at 05:52:36PM +0200, Kjetil Kjernsmo wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> Hi all!
> 
> In turn to you with a bit of desperation now. It feels like I'm under 
(...)

> And I can't for the life of me figure out where it's coming from... 
(...)

I know the issue is solved now, but, besides tcpdump and ethereal 
(mentioned already) you might want to use iptraf or ntop in order to obtain 
good statistics of the network (by IP address, by port...) and detect the 
culprit sooner.

Just my 2c.

Javier


signature.asc
Description: Digital signature

Re: Large, constant incoming traffic

2004-05-18 Thread Javier Fernández-Sanguino Peña 
On Thu, May 13, 2004 at 09:02:45PM +0200, Kjetil Kjernsmo wrote:
> 
> Hm, chkrootkit says that eth0 is not promiscuous... And as I said, I 
> don't think I ever got Snort to work right... :-) 

Are you sure that's not a bug in chkrootkit (false negative)? I introduced 
a change in the Tiger [1] due to chkrootkit's ifpromisc check not handling 
properly the situation in linux 2.4 and up. From the CVS:

"This only concerns Linux and kernel version 2.4 and up.
The ancient "problem" with promiscuous mode detection lies in the fact the
SIOCGIFFLAGS ioctl sets a flag called IFF_PROMISC. This flag is read by
ifconfig and for instance Chkrootkit's ifpromisc. However, libpcap/libnet
applications use setsockopt's MR_PACKET_PROMISC which is a counter. This
counter cannot be read by ifconfig nor ifpromisc. The only viable
alternative is to rely on the /sbin/ip binary from Alexey Kutzenov's
"iproute2" package."

It seems that chkrookit (since 0.42b-1) fixed this, from the changelog:
 * ifpromisc now parses /proc/net/packet so that it can provide better
diagnostics. (forwarded patch upstream) (closes: #214990)

But you would not see that if you are running stable (no backports) and 
linux 2.4

Just FYI

Regards

Javier

[1] 
http://savannah.nongnu.org/cgi-bin/viewcvs/tiger/tiger/scripts/check_known


signature.asc
Description: Digital signature

Re: Large, constant incoming traffic

2004-05-13 Thread Kjetil Kjernsmo 
On torsdag 13. mai 2004, 22:10, Florian Weimer wrote:
> * Kjetil Kjernsmo:
> > Oh, I see. But one thing I do not understand, it doesn't seem like
> > this traffic is directed at me, since it's not my address that's
> > the destination...? Are they routing their traffic through me or
> > something?
>
> It's some odd switch-router whose forwarding table is overflown by
> Slammer, and it switches to broadcast mode.  Or something like that.
>
> Have you been able to contact anyone at Easynet?

Yup, I finally had a chat with someone there, but he wasn't the network 
guy, though. But what he said was that the server had been moved out of 
their network long ago, and they hadn't really an idea where the box 
was broadcasting from Not that I understand it, but I was told to 
call tomorrow morning an talk with the network guy, he had noticed some 
abnormal activity, but not seen as much as I had. But we should be able 
to track it down together.  

But I think we've found out what it was, yes! Thanks a lot folks!

Best,

Kjetil
-- 
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
[EMAIL PROTECTED]  [EMAIL PROTECTED]  [EMAIL PROTECTED]
Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC

Re: Large, constant incoming traffic

2004-05-13 Thread Florian Weimer 
* Kjetil Kjernsmo:

> Oh, I see. But one thing I do not understand, it doesn't seem like this 
> traffic is directed at me, since it's not my address that's the 
> destination...? Are they routing their traffic through me or something? 

It's some odd switch-router whose forwarding table is overflown by
Slammer, and it switches to broadcast mode.  Or something like that.

Have you been able to contact anyone at Easynet?

-- 
Current mail filters: many dial-up/DSL/cable modem hosts, and the
following domains: atlas.cz, bigpond.com, di-ve.com, hotmail.com,
jumpy.it, libero.it, netscape.net, postino.it, simplesnet.pt,
tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr, yahoo.com.

Re: Large, constant incoming traffic

2004-05-13 Thread Kjetil Kjernsmo 
On torsdag 13. mai 2004, 20:37, Gian Piero Carrubba wrote:
> Il gio, 2004-05-13 alle 19:53, Kjetil Kjernsmo ha scritto:
>
> [...]
>
> > 19:41:32.083993 217.77.34.162.2090 > 226.58.55.41.1434:  udp 376
> > [ttl 1] 19:41:32.192344 217.77.34.162.2090 > 234.247.236.46.1434: 
> > udp 376 [ttl 1]
>
> A switched lan, I see ;)

Hehe, it doesn't mean so much to me right now, but a Google will 
educate... 

> It can be slammer [1] (if so, I guess why the ISP tech is so busy :)

Yeah, it seems consensus about that... 

> As you run snort, the eth is probably in promiscuous mode. I think
> this is the reason you see ifconfig counter increasing (though the
> packets aren't leading to your server). This and a non-switched lan,
> of course.

Hm, chkrootkit says that eth0 is not promiscuous... And as I said, I 
don't think I ever got Snort to work right... :-) 

Cheers,

Kjetil
-- 
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
[EMAIL PROTECTED]  [EMAIL PROTECTED]  [EMAIL PROTECTED]
Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC

Re: Large, constant incoming traffic

2004-05-13 Thread Gian Piero Carrubba 
Il gio, 2004-05-13 alle 19:53, Kjetil Kjernsmo ha scritto:

[...]
> 19:41:32.083993 217.77.34.162.2090 > 226.58.55.41.1434:  udp 376 [ttl 1]
> 19:41:32.192344 217.77.34.162.2090 > 234.247.236.46.1434:  udp 376 [ttl 
> 1]

A switched lan, I see ;)
It can be slammer [1] (if so, I guess why the ISP tech is so busy :)
As you run snort, the eth is probably in promiscuous mode. I think this
is the reason you see ifconfig counter increasing (though the packets
aren't leading to your server). This and a non-switched lan, of course.

Ciao,
Gian Piero.

[1]
http://enterprisesecurity.symantec.com/content.cfm?articleid=3261&EID=0

Re: Large, constant incoming traffic

2004-05-13 Thread Kjetil Kjernsmo 
On torsdag 13. mai 2004, 20:15, Lars Ellenberg wrote:

> > 19:41:29.675637 217.77.34.162.2090 > 234.195.198.113.1434:  udp 376
> > [ttl 1]
>
> ok, chances are that 217.77.34.162 runs an unpatches MS-SQL server,
> was infected, and now tries to compromise the world, and its own
> subnet, where you happen to be in.

Oh, I see. But one thing I do not understand, it doesn't seem like this 
traffic is directed at me, since it's not my address that's the 
destination...? Are they routing their traffic through me or something? 

> iirc there has been some worm targetting Microsoft SQL server early
> 2003, maybe it is still active sometimes, maybe there is a new one.

OK. I tried nmap -O 217.77.34.162 but got nothing. I have found that 
they are running IIS on their web server though. And I can't find any 
hosts in that company's netblock. 

>
> you are "safe", but this should show in some "DROP" or "REJECT"
> statistics. have a look at the output of "iptables -vnL"

OK. Very little there... It is not very detailed, since I'm using -P, is 
that a Bad Idea?
This is what it says:
Chain INPUT (policy DROP 157K packets, 10M bytes)
That's still nowhere near the total amount of data I've been getting. 

There's of course a lot more, but nothing that seems relevant. 

BTW, would I have anything to loose by going

iptables -I INPUT -i eth0 -s 217.77.34.162 -j REJECT

> you want to tell the guy responsible for 217.77.34.162, and the
> hostmaster at easynet.no, that they have a compromised machine, and
> should take it offline.

Hm, OK, but I need to feel a little more certain about what's going 
on... Given I find no signs that the machine is actually up, and that I 
still don't understand the traffic pattern, 

> and that you want them to pay for the traffic they are causing you.

Well, it is more the time I've been wasting, I spent almost two full 
days, in a very critical period... But I do not expect to be charged 
for the bandwidth, no... 

Best,

Kjetil
-- 
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
[EMAIL PROTECTED]  [EMAIL PROTECTED]  [EMAIL PROTECTED]
Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC

Re: Large, constant incoming traffic

2004-05-13 Thread Michel Messerschmidt 
On Thu, May 13, 2004 at 07:53:33PM +0200, Kjetil Kjernsmo wrote:
> 19:41:32.083993 217.77.34.162.2090 > 226.58.55.41.1434:  udp 376 [ttl 1]
> 19:41:32.192344 217.77.34.162.2090 > 234.247.236.46.1434:  udp 376 [ttl 
> 1]
> 
> M, I don't know what machine 217.77.34.162 is, but I wouldn't be 
> surprised if it sits in the same server room as my box... Does this 
> tell you anything.

Look like the SQL/Slammer worm. It targets UDP port 1434 (MS-SQL servers
listen there), consists of single packets that are 376 byte in size and causes
much traffic.
Seems like the machine at 217.77.34.162 is infected, so not much you can do
to stop this packet flood. May try to contact the server admin and convince
him to reboot and patch the MS-SQL server. Or ask your provider to block
incoming packets on this port for your server.

Some sites with more information about this worm:
http://www.f-secure.com/v-descs/mssqlm.shtml
http://vil.nai.com/vil/content/v_2.htm
http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html
http://www.viruslist.com/eng/viruslist.html?id=59159


HTH,
Michel
-- 
Michel Messerschmidt   [EMAIL PROTECTED]
antiVirusTestCenter, Computer Science, University of Hamburg

Re: Large, constant incoming traffic

2004-05-13 Thread Kjetil Kjernsmo 
On torsdag 13. mai 2004, 22:10, Florian Weimer wrote:
> * Kjetil Kjernsmo:
> > Oh, I see. But one thing I do not understand, it doesn't seem like
> > this traffic is directed at me, since it's not my address that's
> > the destination...? Are they routing their traffic through me or
> > something?
>
> It's some odd switch-router whose forwarding table is overflown by
> Slammer, and it switches to broadcast mode.  Or something like that.
>
> Have you been able to contact anyone at Easynet?

Yup, I finally had a chat with someone there, but he wasn't the network 
guy, though. But what he said was that the server had been moved out of 
their network long ago, and they hadn't really an idea where the box 
was broadcasting from Not that I understand it, but I was told to 
call tomorrow morning an talk with the network guy, he had noticed some 
abnormal activity, but not seen as much as I had. But we should be able 
to track it down together.  

But I think we've found out what it was, yes! Thanks a lot folks!

Best,

Kjetil
-- 
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
[EMAIL PROTECTED]  [EMAIL PROTECTED]  [EMAIL PROTECTED]
Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Large, constant incoming traffic

2004-05-13 Thread Lars Ellenberg 
/ 2004-05-13 19:53:33 +0200
\ Kjetil Kjernsmo:
> On torsdag 13. mai 2004, 19:32, Robert Jakubowski wrote:
> > The best way to see what is going on is to dump the traffic to a file
> > and analyse it. Tcpdump and ethereal are great tools for that
> > purpose.
> 
> Great! Reagan Blundell also told me about them offline. 
> 
> > Ethereal will make the job easier and should give you a 
> > clue. If you are affraid the server has been compromised you have to
> > use another computer to get reliable information. I don't know your
> > network setup and what you have at disposal. If it is cable/DSL you
> > could connect your server through a hub, hook up the other computer
> > to the hub and do the dump (you may have to use a crossover cable
> > between the modem and the hub).
> 
> Yup. It's in server hosting at a provider, and I don't have physical 
> access there... So, I have no option but to do it remotely (or perhaps I 
> could if eth0 was promiscuous, but it isn't?).
> 
> Anyway, what I see in tcpdump after filtering out my own ssh traffic, 
> and some DNS traffic (which might have something to do with it, but 
> makes a lot of noise), I see (easynet.no is my provider):
> 
> 19:41:29.459644 217.77.34.162.2090 > 226.122.204.181.1434:  udp 376 [ttl 
> 1]
> 19:41:29.565792 arp who-has 217.77.32.171 tell core-1-e2.easynet.no
> 19:41:29.675637 217.77.34.162.2090 > 234.195.198.113.1434:  udp 376 [ttl 1]

ok, chances are that 217.77.34.162 runs an unpatches MS-SQL server,
was infected, and now tries to compromise the world, and its own
subnet, where you happen to be in.

iirc there has been some worm targetting Microsoft SQL server early 2003,
maybe it is still active sometimes, maybe there is a new one.

you are "safe", but this should show in some "DROP" or "REJECT" statistics.
have a look at the output of "iptables -vnL"

you want to tell the guy responsible for 217.77.34.162, and the
hostmaster at easynet.no, that they have a compromised machine, and
should take it offline.
and that you want them to pay for the traffic they are causing you.

Lars Ellenberg

Re: Large, constant incoming traffic

2004-05-13 Thread Florian Weimer 
* Kjetil Kjernsmo:

> Oh, I see. But one thing I do not understand, it doesn't seem like this 
> traffic is directed at me, since it's not my address that's the 
> destination...? Are they routing their traffic through me or something? 

It's some odd switch-router whose forwarding table is overflown by
Slammer, and it switches to broadcast mode.  Or something like that.

Have you been able to contact anyone at Easynet?

-- 
Current mail filters: many dial-up/DSL/cable modem hosts, and the
following domains: atlas.cz, bigpond.com, di-ve.com, hotmail.com,
jumpy.it, libero.it, netscape.net, postino.it, simplesnet.pt,
tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr, yahoo.com.


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Large, constant incoming traffic

2004-05-13 Thread Kjetil Kjernsmo 
On torsdag 13. mai 2004, 19:32, Robert Jakubowski wrote:
> The best way to see what is going on is to dump the traffic to a file
> and analyse it. Tcpdump and ethereal are great tools for that
> purpose.

Great! Reagan Blundell also told me about them offline. 

> Ethereal will make the job easier and should give you a 
> clue. If you are affraid the server has been compromised you have to
> use another computer to get reliable information. I don't know your
> network setup and what you have at disposal. If it is cable/DSL you
> could connect your server through a hub, hook up the other computer
> to the hub and do the dump (you may have to use a crossover cable
> between the modem and the hub).

Yup. It's in server hosting at a provider, and I don't have physical 
access there... So, I have no option but to do it remotely (or perhaps I 
could if eth0 was promiscuous, but it isn't?).

Anyway, what I see in tcpdump after filtering out my own ssh traffic, 
and some DNS traffic (which might have something to do with it, but 
makes a lot of noise), I see (easynet.no is my provider):

19:41:29.459644 217.77.34.162.2090 > 226.122.204.181.1434:  udp 376 [ttl 
1]
19:41:29.565792 arp who-has 217.77.32.171 tell core-1-e2.easynet.no
19:41:29.675637 217.77.34.162.2090 > 234.195.198.113.1434:  udp 376 [ttl 
1]
19:41:29.786000 217.77.34.162.2090 > 226.210.233.101.1434:  udp 376 [ttl 
1]
19:41:30.013227 217.77.34.162.2090 > 226.115.252.196.1434:  udp 376 [ttl 
1]
19:41:30.120437 217.77.34.162.2090 > 234.221.95.51.1434:  udp 376 [ttl 
1]
19:41:30.449589 217.77.34.162.2090 > 226.53.242.62.1434:  udp 376 [ttl 
1]
19:41:30.556784 217.77.34.162.2090 > 234.225.213.78.1434:  udp 376 [ttl 
1]
19:41:30.563271 arp who-has 217.77.32.171 tell core-1-e2.easynet.no
19:41:30.683433 arp who-has 217.77.34.95 tell core-1-e3.easynet.no
19:41:30.773817 217.77.34.162.2090 > 226.95.50.32.1434:  udp 376 [ttl 1]
19:41:30.800550 pooh.kjernsmo.net.39441 > www.easynet.no.domain:  6695+ 
PTR? 78.79.65.194.in-addr.arpa. (43) (DF)
19:41:30.884041 217.77.34.162.2090 > 234.111.203.166.1434:  udp 376 [ttl 
1]
19:41:31.212205 217.77.34.162.2090 > 234.209.110.68.1434:  udp 376 [ttl 
1]
19:41:31.321424 www.easynet.no.domain > pooh.kjernsmo.net.39445:  61615 
1/2/0 (106) (DF)
19:41:31.429747 217.77.34.162.2090 > 226.20.247.203.1434:  udp 376 [ttl 
1]
19:41:31.563113 arp who-has 217.77.32.171 tell core-1-e2.easynet.no
19:41:31.648080 217.77.34.162.2090 > 234.191.213.120.1434:  udp 376 [ttl 
1]
19:41:31.683087 arp who-has 217.77.34.95 tell core-1-e3.easynet.no
19:41:31.755080 217.77.34.162.2090 > 234.234.114.255.1434:  udp 376 [ttl 
1]
19:41:31.973809 217.77.34.162.2090 > 226.44.34.125.1434:  udp 376 [ttl 
1]
19:41:32.083993 217.77.34.162.2090 > 226.58.55.41.1434:  udp 376 [ttl 1]
19:41:32.192344 217.77.34.162.2090 > 234.247.236.46.1434:  udp 376 [ttl 
1]

M, I don't know what machine 217.77.34.162 is, but I wouldn't be 
surprised if it sits in the same server room as my box... Does this 
tell you anything.


Thanks a lot for the help!

Best,

Kjetil
-- 
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
[EMAIL PROTECTED]  [EMAIL PROTECTED]  [EMAIL PROTECTED]
Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC

Re: Large, constant incoming traffic

2004-05-13 Thread Michael Borko 

Kjetil Kjernsmo wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi all!

In turn to you with a bit of desperation now. It feels like I'm under 
some kind of attack. Maybe I've even been compromised. The last few 
days, I've experienced an insane and constant amount of incoming 
traffic. I'm not sure how long it has lasted, but I would think 3-4 
days, and it is constant at 260 kB/s. It varies very little from that 
number, perhaps down to 255 sometimes, and sometimes up to 265, but 
essentially, it changes very little over time, at least over an 
interval of a couple of seconds. 

And I can't for the life of me figure out where it's coming from... 
This is what netstat says:

 [EMAIL PROTECTED]:~> netstat -tan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address   Foreign Address  State
tcp0  0 0.0.0.0:32771   0.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:4   0.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:32772   0.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:110 0.0.0.0:*   LISTEN
tcp0  0 127.0.0.1:783   0.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:111 0.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:80  0.0.0.0:*   LISTEN
tcp0  0 217.77.32.186:530.0.0.0:*   LISTEN
tcp0  0 127.0.0.1:530.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:22  0.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:54320.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:25  0.0.0.0:*   LISTEN
tcp0  0 127.0.0.1:953   0.0.0.0:*   LISTEN
tcp0  0 217.77.32.186:2280.213.253.77:32782 ESTABLISHED
tcp0  0 217.77.32.186:2280.213.253.77:33738 ESTABLISHED
tcp0272 217.77.32.186:2280.213.253.77:32778 ESTABLISHED

217.77.32.186 is my server, the machine that is in trouble, and 
80.213.253.77 is the current IP of my workstation. There are 
connections now and then, but nothing unnatural, and nothing that can 
account for that there aren't variations... 


Most of the listening ports are actually firewalled off from the world:
(The 1654 ports scanned but not shown below are in state: filtered)
PORTSTATE SERVICE
4/tcp   open  unknown
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
110/tcp open  pop3



hi kjetil!

please start up tcpdump and/or ethereal and check what kind of packages 
there are going ... and the best would be, to do so on a "probe" in the 
network. if u need help about this, ask!


regards,
mike

--
  _ TGM / it-service
 (o-A-1200 Wien, Wexstr. 19-23
 //\tel. +43-1-33126-316fax. +43-1-33126-154
 v_/email: [EMAIL PROTECTED]trap: [EMAIL PROTECTED]

Re: Large, constant incoming traffic

2004-05-13 Thread Robert Jakubowski 

The best way to see what is going on is to dump the traffic to a file and
analyse it. Tcpdump and ethereal are great tools for that purpose.
Ethereal will make the job easier and should give you a clue.
If you are affraid the server has been compromised you have to use another
computer to get reliable information. I don't know your network setup and
what you have at disposal. If it is cable/DSL you could connect your
server through a hub, hook up the other computer to the hub and do the
dump (you may have to use a crossover cable between the modem and the
hub).

HTH

Robert J.


Kjetil Kjernsmo said:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hi all!
>
> In turn to you with a bit of desperation now. It feels like I'm under
> some kind of attack. Maybe I've even been compromised. The last few
> days, I've experienced an insane and constant amount of incoming
> traffic. I'm not sure how long it has lasted, but I would think 3-4
> days, and it is constant at 260 kB/s. It varies very little from that
> number, perhaps down to 255 sometimes, and sometimes up to 265, but
> essentially, it changes very little over time, at least over an
> interval of a couple of seconds.
>
> And I can't for the life of me figure out where it's coming from...
> This is what netstat says:
>  [EMAIL PROTECTED]:~> netstat -tan
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address   Foreign Address  State
> tcp0  0 0.0.0.0:32771   0.0.0.0:*   LISTEN
> tcp0  0 0.0.0.0:4   0.0.0.0:*   LISTEN
> tcp0  0 0.0.0.0:32772   0.0.0.0:*   LISTEN
> tcp0  0 0.0.0.0:110 0.0.0.0:*   LISTEN
> tcp0  0 127.0.0.1:783   0.0.0.0:*   LISTEN
> tcp0  0 0.0.0.0:111 0.0.0.0:*   LISTEN
> tcp0  0 0.0.0.0:80  0.0.0.0:*   LISTEN
> tcp0  0 217.77.32.186:530.0.0.0:*   LISTEN
> tcp0  0 127.0.0.1:530.0.0.0:*   LISTEN
> tcp0  0 0.0.0.0:22  0.0.0.0:*   LISTEN
> tcp0  0 0.0.0.0:54320.0.0.0:*   LISTEN
> tcp0  0 0.0.0.0:25  0.0.0.0:*   LISTEN
> tcp0  0 127.0.0.1:953   0.0.0.0:*   LISTEN
> tcp0  0 217.77.32.186:2280.213.253.77:32782 ESTABLISHED
> tcp0  0 217.77.32.186:2280.213.253.77:33738 ESTABLISHED
> tcp0272 217.77.32.186:2280.213.253.77:32778 ESTABLISHED
>
> 217.77.32.186 is my server, the machine that is in trouble, and
> 80.213.253.77 is the current IP of my workstation. There are
> connections now and then, but nothing unnatural, and nothing that can
> account for that there aren't variations...
>
> Most of the listening ports are actually firewalled off from the world:
> (The 1654 ports scanned but not shown below are in state: filtered)
> PORTSTATE SERVICE
> 4/tcp   open  unknown
> 22/tcp  open  ssh
> 25/tcp  open  smtp
> 80/tcp  open  http
> 110/tcp open  pop3
>
> (port 4 is SFS, which is in Debian, nmap should perhaps be told...?)
> The filtered ports should drop packets.
>
> In addition to the occasional netstat, I'm looking closely with
> ksysguard. There is a ksysguardd running at the remote machine, which
> is giving me the data. It is all in agreement with what netstat says,
> and the data rate is in agreement to, I have verified it by going
> ifconfig twice 100 seconds apart and compare the "RX bytes:" entry.
>
> I did a kernel upgrade yesterday, so I have even rebooted the machine,
> and since the reboot, it has according to ifconfig received something
> like 3 GiB of data. In one day... But this makes it likely that there
> isn't a local fault, I think. Also, there is little outgoing traffic.
>
> I have no idea where all those data are going... There is certainly not
> room for them on the hard drive, unless somebody is in the box and is
> deleting stuff, and who has du and df trojanned, but then df shows the
> same as /proc/partitions I can't see anything abnormal, neither on
> the disks, in the logs, in the connections made to the machine, in the
> process table or anything... But then, I don't really know too much
> about looking... :-)
>
> Since my workstation is the only machine I can see that has a persistent
> connection to the server, I've investigated the possibility that
> something here is causing it. But there is little outgoing traffic
> here, so it seems extremely unlikely.
>
> I think it looks like something is throwing packets at me, and doesn't
> care what happens to them... However, then I would think the packets
> were thrown at an open port, because I would think that since IPtables
> would drop the packets, it would show up in the statistics as dropped,
> and it isn't.
>
> Or, is it possible that the statistics is simply wrong: There are no
> data being thrown at me?
>
> I've briefl

Re: Large, constant incoming traffic

2004-05-13 Thread Kjetil Kjernsmo 
On torsdag 13. mai 2004, 20:37, Gian Piero Carrubba wrote:
> Il gio, 2004-05-13 alle 19:53, Kjetil Kjernsmo ha scritto:
>
> [...]
>
> > 19:41:32.083993 217.77.34.162.2090 > 226.58.55.41.1434:  udp 376
> > [ttl 1] 19:41:32.192344 217.77.34.162.2090 > 234.247.236.46.1434: 
> > udp 376 [ttl 1]
>
> A switched lan, I see ;)

Hehe, it doesn't mean so much to me right now, but a Google will 
educate... 

> It can be slammer [1] (if so, I guess why the ISP tech is so busy :)

Yeah, it seems consensus about that... 

> As you run snort, the eth is probably in promiscuous mode. I think
> this is the reason you see ifconfig counter increasing (though the
> packets aren't leading to your server). This and a non-switched lan,
> of course.

Hm, chkrootkit says that eth0 is not promiscuous... And as I said, I 
don't think I ever got Snort to work right... :-) 

Cheers,

Kjetil
-- 
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
[EMAIL PROTECTED]  [EMAIL PROTECTED]  [EMAIL PROTECTED]
Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Large, constant incoming traffic

2004-05-13 Thread Gian Piero Carrubba 
Il gio, 2004-05-13 alle 19:53, Kjetil Kjernsmo ha scritto:

[...]
> 19:41:32.083993 217.77.34.162.2090 > 226.58.55.41.1434:  udp 376 [ttl 1]
> 19:41:32.192344 217.77.34.162.2090 > 234.247.236.46.1434:  udp 376 [ttl 
> 1]

A switched lan, I see ;)
It can be slammer [1] (if so, I guess why the ISP tech is so busy :)
As you run snort, the eth is probably in promiscuous mode. I think this
is the reason you see ifconfig counter increasing (though the packets
aren't leading to your server). This and a non-switched lan, of course.

Ciao,
Gian Piero.

[1]
http://enterprisesecurity.symantec.com/content.cfm?articleid=3261&EID=0


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Large, constant incoming traffic

2004-05-13 Thread Kjetil Kjernsmo 
On torsdag 13. mai 2004, 20:15, Lars Ellenberg wrote:

> > 19:41:29.675637 217.77.34.162.2090 > 234.195.198.113.1434:  udp 376
> > [ttl 1]
>
> ok, chances are that 217.77.34.162 runs an unpatches MS-SQL server,
> was infected, and now tries to compromise the world, and its own
> subnet, where you happen to be in.

Oh, I see. But one thing I do not understand, it doesn't seem like this 
traffic is directed at me, since it's not my address that's the 
destination...? Are they routing their traffic through me or something? 

> iirc there has been some worm targetting Microsoft SQL server early
> 2003, maybe it is still active sometimes, maybe there is a new one.

OK. I tried nmap -O 217.77.34.162 but got nothing. I have found that 
they are running IIS on their web server though. And I can't find any 
hosts in that company's netblock. 

>
> you are "safe", but this should show in some "DROP" or "REJECT"
> statistics. have a look at the output of "iptables -vnL"

OK. Very little there... It is not very detailed, since I'm using -P, is 
that a Bad Idea?
This is what it says:
Chain INPUT (policy DROP 157K packets, 10M bytes)
That's still nowhere near the total amount of data I've been getting. 

There's of course a lot more, but nothing that seems relevant. 

BTW, would I have anything to loose by going

iptables -I INPUT -i eth0 -s 217.77.34.162 -j REJECT

> you want to tell the guy responsible for 217.77.34.162, and the
> hostmaster at easynet.no, that they have a compromised machine, and
> should take it offline.

Hm, OK, but I need to feel a little more certain about what's going 
on... Given I find no signs that the machine is actually up, and that I 
still don't understand the traffic pattern, 

> and that you want them to pay for the traffic they are causing you.

Well, it is more the time I've been wasting, I spent almost two full 
days, in a very critical period... But I do not expect to be charged 
for the bandwidth, no... 

Best,

Kjetil
-- 
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
[EMAIL PROTECTED]  [EMAIL PROTECTED]  [EMAIL PROTECTED]
Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Large, constant incoming traffic

2004-05-13 Thread Michel Messerschmidt 
On Thu, May 13, 2004 at 07:53:33PM +0200, Kjetil Kjernsmo wrote:
> 19:41:32.083993 217.77.34.162.2090 > 226.58.55.41.1434:  udp 376 [ttl 1]
> 19:41:32.192344 217.77.34.162.2090 > 234.247.236.46.1434:  udp 376 [ttl 
> 1]
> 
> M, I don't know what machine 217.77.34.162 is, but I wouldn't be 
> surprised if it sits in the same server room as my box... Does this 
> tell you anything.

Look like the SQL/Slammer worm. It targets UDP port 1434 (MS-SQL servers
listen there), consists of single packets that are 376 byte in size and causes
much traffic.
Seems like the machine at 217.77.34.162 is infected, so not much you can do
to stop this packet flood. May try to contact the server admin and convince
him to reboot and patch the MS-SQL server. Or ask your provider to block
incoming packets on this port for your server.

Some sites with more information about this worm:
http://www.f-secure.com/v-descs/mssqlm.shtml
http://vil.nai.com/vil/content/v_2.htm
http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html
http://www.viruslist.com/eng/viruslist.html?id=59159


HTH,
Michel
-- 
Michel Messerschmidt   [EMAIL PROTECTED]
antiVirusTestCenter, Computer Science, University of Hamburg


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Large, constant incoming traffic

2004-05-13 Thread Lars Ellenberg 
/ 2004-05-13 19:53:33 +0200
\ Kjetil Kjernsmo:
> On torsdag 13. mai 2004, 19:32, Robert Jakubowski wrote:
> > The best way to see what is going on is to dump the traffic to a file
> > and analyse it. Tcpdump and ethereal are great tools for that
> > purpose.
> 
> Great! Reagan Blundell also told me about them offline. 
> 
> > Ethereal will make the job easier and should give you a 
> > clue. If you are affraid the server has been compromised you have to
> > use another computer to get reliable information. I don't know your
> > network setup and what you have at disposal. If it is cable/DSL you
> > could connect your server through a hub, hook up the other computer
> > to the hub and do the dump (you may have to use a crossover cable
> > between the modem and the hub).
> 
> Yup. It's in server hosting at a provider, and I don't have physical 
> access there... So, I have no option but to do it remotely (or perhaps I 
> could if eth0 was promiscuous, but it isn't?).
> 
> Anyway, what I see in tcpdump after filtering out my own ssh traffic, 
> and some DNS traffic (which might have something to do with it, but 
> makes a lot of noise), I see (easynet.no is my provider):
> 
> 19:41:29.459644 217.77.34.162.2090 > 226.122.204.181.1434:  udp 376 [ttl 
> 1]
> 19:41:29.565792 arp who-has 217.77.32.171 tell core-1-e2.easynet.no
> 19:41:29.675637 217.77.34.162.2090 > 234.195.198.113.1434:  udp 376 [ttl 1]

ok, chances are that 217.77.34.162 runs an unpatches MS-SQL server,
was infected, and now tries to compromise the world, and its own
subnet, where you happen to be in.

iirc there has been some worm targetting Microsoft SQL server early 2003,
maybe it is still active sometimes, maybe there is a new one.

you are "safe", but this should show in some "DROP" or "REJECT" statistics.
have a look at the output of "iptables -vnL"

you want to tell the guy responsible for 217.77.34.162, and the
hostmaster at easynet.no, that they have a compromised machine, and
should take it offline.
and that you want them to pay for the traffic they are causing you.

Lars Ellenberg


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Large, constant incoming traffic

2004-05-13 Thread Kjetil Kjernsmo 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi all!

In turn to you with a bit of desperation now. It feels like I'm under 
some kind of attack. Maybe I've even been compromised. The last few 
days, I've experienced an insane and constant amount of incoming 
traffic. I'm not sure how long it has lasted, but I would think 3-4 
days, and it is constant at 260 kB/s. It varies very little from that 
number, perhaps down to 255 sometimes, and sometimes up to 265, but 
essentially, it changes very little over time, at least over an 
interval of a couple of seconds. 

And I can't for the life of me figure out where it's coming from... 
This is what netstat says:
 [EMAIL PROTECTED]:~> netstat -tan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address   Foreign Address  State
tcp0  0 0.0.0.0:32771   0.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:4   0.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:32772   0.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:110 0.0.0.0:*   LISTEN
tcp0  0 127.0.0.1:783   0.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:111 0.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:80  0.0.0.0:*   LISTEN
tcp0  0 217.77.32.186:530.0.0.0:*   LISTEN
tcp0  0 127.0.0.1:530.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:22  0.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:54320.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:25  0.0.0.0:*   LISTEN
tcp0  0 127.0.0.1:953   0.0.0.0:*   LISTEN
tcp0  0 217.77.32.186:2280.213.253.77:32782 ESTABLISHED
tcp0  0 217.77.32.186:2280.213.253.77:33738 ESTABLISHED
tcp0272 217.77.32.186:2280.213.253.77:32778 ESTABLISHED

217.77.32.186 is my server, the machine that is in trouble, and 
80.213.253.77 is the current IP of my workstation. There are 
connections now and then, but nothing unnatural, and nothing that can 
account for that there aren't variations... 

Most of the listening ports are actually firewalled off from the world:
(The 1654 ports scanned but not shown below are in state: filtered)
PORTSTATE SERVICE
4/tcp   open  unknown
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
110/tcp open  pop3

(port 4 is SFS, which is in Debian, nmap should perhaps be told...?) 
The filtered ports should drop packets. 

In addition to the occasional netstat, I'm looking closely with 
ksysguard. There is a ksysguardd running at the remote machine, which 
is giving me the data. It is all in agreement with what netstat says, 
and the data rate is in agreement to, I have verified it by going 
ifconfig twice 100 seconds apart and compare the "RX bytes:" entry.

I did a kernel upgrade yesterday, so I have even rebooted the machine, 
and since the reboot, it has according to ifconfig received something 
like 3 GiB of data. In one day... But this makes it likely that there 
isn't a local fault, I think. Also, there is little outgoing traffic.

I have no idea where all those data are going... There is certainly not 
room for them on the hard drive, unless somebody is in the box and is 
deleting stuff, and who has du and df trojanned, but then df shows the 
same as /proc/partitions I can't see anything abnormal, neither on 
the disks, in the logs, in the connections made to the machine, in the 
process table or anything... But then, I don't really know too much 
about looking... :-) 

Since my workstation is the only machine I can see that has a persistent 
connection to the server, I've investigated the possibility that 
something here is causing it. But there is little outgoing traffic 
here, so it seems extremely unlikely. 

I think it looks like something is throwing packets at me, and doesn't 
care what happens to them... However, then I would think the packets 
were thrown at an open port, because I would think that since IPtables 
would drop the packets, it would show up in the statistics as dropped, 
and it isn't.

Or, is it possible that the statistics is simply wrong: There are no 
data being thrown at me? 

I've briefly talked with my hosting company, and they've got a good 
Linux guy there, but he was too busy to help me now. If I haven't 
allready, I'm afraid I'll hit my 10 GB/month quota very soon now. I 
really don't want that to happen, especially if it isn't my fault that 
this is happening. 

I run AIDE, and I run chkrootkit occasionally. I've gone through the 
auto-setup of a backport of Snort, but it has never actually told me 
anything, so I suppose it isn't really configured. I'm trying a Nessus 
attack against the poor box now, but it is very slow... 

Thanks for reading this far, and, well, your ideas on what I can do 
would be much appreciated. 

Best,

Kjetil
- -- 
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski

Re: Large, constant incoming traffic

2004-05-13 Thread Kjetil Kjernsmo 
On torsdag 13. mai 2004, 19:32, Robert Jakubowski wrote:
> The best way to see what is going on is to dump the traffic to a file
> and analyse it. Tcpdump and ethereal are great tools for that
> purpose.

Great! Reagan Blundell also told me about them offline. 

> Ethereal will make the job easier and should give you a 
> clue. If you are affraid the server has been compromised you have to
> use another computer to get reliable information. I don't know your
> network setup and what you have at disposal. If it is cable/DSL you
> could connect your server through a hub, hook up the other computer
> to the hub and do the dump (you may have to use a crossover cable
> between the modem and the hub).

Yup. It's in server hosting at a provider, and I don't have physical 
access there... So, I have no option but to do it remotely (or perhaps I 
could if eth0 was promiscuous, but it isn't?).

Anyway, what I see in tcpdump after filtering out my own ssh traffic, 
and some DNS traffic (which might have something to do with it, but 
makes a lot of noise), I see (easynet.no is my provider):

19:41:29.459644 217.77.34.162.2090 > 226.122.204.181.1434:  udp 376 [ttl 
1]
19:41:29.565792 arp who-has 217.77.32.171 tell core-1-e2.easynet.no
19:41:29.675637 217.77.34.162.2090 > 234.195.198.113.1434:  udp 376 [ttl 
1]
19:41:29.786000 217.77.34.162.2090 > 226.210.233.101.1434:  udp 376 [ttl 
1]
19:41:30.013227 217.77.34.162.2090 > 226.115.252.196.1434:  udp 376 [ttl 
1]
19:41:30.120437 217.77.34.162.2090 > 234.221.95.51.1434:  udp 376 [ttl 
1]
19:41:30.449589 217.77.34.162.2090 > 226.53.242.62.1434:  udp 376 [ttl 
1]
19:41:30.556784 217.77.34.162.2090 > 234.225.213.78.1434:  udp 376 [ttl 
1]
19:41:30.563271 arp who-has 217.77.32.171 tell core-1-e2.easynet.no
19:41:30.683433 arp who-has 217.77.34.95 tell core-1-e3.easynet.no
19:41:30.773817 217.77.34.162.2090 > 226.95.50.32.1434:  udp 376 [ttl 1]
19:41:30.800550 pooh.kjernsmo.net.39441 > www.easynet.no.domain:  6695+ 
PTR? 78.79.65.194.in-addr.arpa. (43) (DF)
19:41:30.884041 217.77.34.162.2090 > 234.111.203.166.1434:  udp 376 [ttl 
1]
19:41:31.212205 217.77.34.162.2090 > 234.209.110.68.1434:  udp 376 [ttl 
1]
19:41:31.321424 www.easynet.no.domain > pooh.kjernsmo.net.39445:  61615 
1/2/0 (106) (DF)
19:41:31.429747 217.77.34.162.2090 > 226.20.247.203.1434:  udp 376 [ttl 
1]
19:41:31.563113 arp who-has 217.77.32.171 tell core-1-e2.easynet.no
19:41:31.648080 217.77.34.162.2090 > 234.191.213.120.1434:  udp 376 [ttl 
1]
19:41:31.683087 arp who-has 217.77.34.95 tell core-1-e3.easynet.no
19:41:31.755080 217.77.34.162.2090 > 234.234.114.255.1434:  udp 376 [ttl 
1]
19:41:31.973809 217.77.34.162.2090 > 226.44.34.125.1434:  udp 376 [ttl 
1]
19:41:32.083993 217.77.34.162.2090 > 226.58.55.41.1434:  udp 376 [ttl 1]
19:41:32.192344 217.77.34.162.2090 > 234.247.236.46.1434:  udp 376 [ttl 
1]

M, I don't know what machine 217.77.34.162 is, but I wouldn't be 
surprised if it sits in the same server room as my box... Does this 
tell you anything.


Thanks a lot for the help!

Best,

Kjetil
-- 
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
[EMAIL PROTECTED]  [EMAIL PROTECTED]  [EMAIL PROTECTED]
Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Large, constant incoming traffic

2004-05-13 Thread Michael Borko 
Kjetil Kjernsmo wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi all!

In turn to you with a bit of desperation now. It feels like I'm under 
some kind of attack. Maybe I've even been compromised. The last few 
days, I've experienced an insane and constant amount of incoming 
traffic. I'm not sure how long it has lasted, but I would think 3-4 
days, and it is constant at 260 kB/s. It varies very little from that 
number, perhaps down to 255 sometimes, and sometimes up to 265, but 
essentially, it changes very little over time, at least over an 
interval of a couple of seconds. 

And I can't for the life of me figure out where it's coming from... 
This is what netstat says:
 [EMAIL PROTECTED]:~> netstat -tan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address   Foreign Address  State
tcp0  0 0.0.0.0:32771   0.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:4   0.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:32772   0.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:110 0.0.0.0:*   LISTEN
tcp0  0 127.0.0.1:783   0.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:111 0.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:80  0.0.0.0:*   LISTEN
tcp0  0 217.77.32.186:530.0.0.0:*   LISTEN
tcp0  0 127.0.0.1:530.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:22  0.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:54320.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:25  0.0.0.0:*   LISTEN
tcp0  0 127.0.0.1:953   0.0.0.0:*   LISTEN
tcp0  0 217.77.32.186:2280.213.253.77:32782 ESTABLISHED
tcp0  0 217.77.32.186:2280.213.253.77:33738 ESTABLISHED
tcp0272 217.77.32.186:2280.213.253.77:32778 ESTABLISHED

217.77.32.186 is my server, the machine that is in trouble, and 
80.213.253.77 is the current IP of my workstation. There are 
connections now and then, but nothing unnatural, and nothing that can 
account for that there aren't variations... 

Most of the listening ports are actually firewalled off from the world:
(The 1654 ports scanned but not shown below are in state: filtered)
PORTSTATE SERVICE
4/tcp   open  unknown
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
110/tcp open  pop3
hi kjetil!

please start up tcpdump and/or ethereal and check what kind of packages 
there are going ... and the best would be, to do so on a "probe" in the 
network. if u need help about this, ask!

regards,
mike
--
  _ TGM / it-service
 (o-A-1200 Wien, Wexstr. 19-23
 //\tel. +43-1-33126-316fax. +43-1-33126-154
 v_/email: [EMAIL PROTECTED]trap: [EMAIL PROTECTED]
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Re: Large, constant incoming traffic

2004-05-13 Thread Robert Jakubowski 

The best way to see what is going on is to dump the traffic to a file and
analyse it. Tcpdump and ethereal are great tools for that purpose.
Ethereal will make the job easier and should give you a clue.
If you are affraid the server has been compromised you have to use another
computer to get reliable information. I don't know your network setup and
what you have at disposal. If it is cable/DSL you could connect your
server through a hub, hook up the other computer to the hub and do the
dump (you may have to use a crossover cable between the modem and the
hub).

HTH

Robert J.


Kjetil Kjernsmo said:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hi all!
>
> In turn to you with a bit of desperation now. It feels like I'm under
> some kind of attack. Maybe I've even been compromised. The last few
> days, I've experienced an insane and constant amount of incoming
> traffic. I'm not sure how long it has lasted, but I would think 3-4
> days, and it is constant at 260 kB/s. It varies very little from that
> number, perhaps down to 255 sometimes, and sometimes up to 265, but
> essentially, it changes very little over time, at least over an
> interval of a couple of seconds.
>
> And I can't for the life of me figure out where it's coming from...
> This is what netstat says:
>  [EMAIL PROTECTED]:~> netstat -tan
> Active Internet connections (servers and established)
> Proto Recv-Q Send-Q Local Address   Foreign Address  State
> tcp0  0 0.0.0.0:32771   0.0.0.0:*   LISTEN
> tcp0  0 0.0.0.0:4   0.0.0.0:*   LISTEN
> tcp0  0 0.0.0.0:32772   0.0.0.0:*   LISTEN
> tcp0  0 0.0.0.0:110 0.0.0.0:*   LISTEN
> tcp0  0 127.0.0.1:783   0.0.0.0:*   LISTEN
> tcp0  0 0.0.0.0:111 0.0.0.0:*   LISTEN
> tcp0  0 0.0.0.0:80  0.0.0.0:*   LISTEN
> tcp0  0 217.77.32.186:530.0.0.0:*   LISTEN
> tcp0  0 127.0.0.1:530.0.0.0:*   LISTEN
> tcp0  0 0.0.0.0:22  0.0.0.0:*   LISTEN
> tcp0  0 0.0.0.0:54320.0.0.0:*   LISTEN
> tcp0  0 0.0.0.0:25  0.0.0.0:*   LISTEN
> tcp0  0 127.0.0.1:953   0.0.0.0:*   LISTEN
> tcp0  0 217.77.32.186:2280.213.253.77:32782 ESTABLISHED
> tcp0  0 217.77.32.186:2280.213.253.77:33738 ESTABLISHED
> tcp0272 217.77.32.186:2280.213.253.77:32778 ESTABLISHED
>
> 217.77.32.186 is my server, the machine that is in trouble, and
> 80.213.253.77 is the current IP of my workstation. There are
> connections now and then, but nothing unnatural, and nothing that can
> account for that there aren't variations...
>
> Most of the listening ports are actually firewalled off from the world:
> (The 1654 ports scanned but not shown below are in state: filtered)
> PORTSTATE SERVICE
> 4/tcp   open  unknown
> 22/tcp  open  ssh
> 25/tcp  open  smtp
> 80/tcp  open  http
> 110/tcp open  pop3
>
> (port 4 is SFS, which is in Debian, nmap should perhaps be told...?)
> The filtered ports should drop packets.
>
> In addition to the occasional netstat, I'm looking closely with
> ksysguard. There is a ksysguardd running at the remote machine, which
> is giving me the data. It is all in agreement with what netstat says,
> and the data rate is in agreement to, I have verified it by going
> ifconfig twice 100 seconds apart and compare the "RX bytes:" entry.
>
> I did a kernel upgrade yesterday, so I have even rebooted the machine,
> and since the reboot, it has according to ifconfig received something
> like 3 GiB of data. In one day... But this makes it likely that there
> isn't a local fault, I think. Also, there is little outgoing traffic.
>
> I have no idea where all those data are going... There is certainly not
> room for them on the hard drive, unless somebody is in the box and is
> deleting stuff, and who has du and df trojanned, but then df shows the
> same as /proc/partitions I can't see anything abnormal, neither on
> the disks, in the logs, in the connections made to the machine, in the
> process table or anything... But then, I don't really know too much
> about looking... :-)
>
> Since my workstation is the only machine I can see that has a persistent
> connection to the server, I've investigated the possibility that
> something here is causing it. But there is little outgoing traffic
> here, so it seems extremely unlikely.
>
> I think it looks like something is throwing packets at me, and doesn't
> care what happens to them... However, then I would think the packets
> were thrown at an open port, because I would think that since IPtables
> would drop the packets, it would show up in the statistics as dropped,
> and it isn't.
>
> Or, is it possible that the statistics is simply wrong: There are no
> data being thrown at me?
>
> I've briefl

Large, constant incoming traffic

2004-05-13 Thread Kjetil Kjernsmo 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi all!

In turn to you with a bit of desperation now. It feels like I'm under 
some kind of attack. Maybe I've even been compromised. The last few 
days, I've experienced an insane and constant amount of incoming 
traffic. I'm not sure how long it has lasted, but I would think 3-4 
days, and it is constant at 260 kB/s. It varies very little from that 
number, perhaps down to 255 sometimes, and sometimes up to 265, but 
essentially, it changes very little over time, at least over an 
interval of a couple of seconds. 

And I can't for the life of me figure out where it's coming from... 
This is what netstat says:
 [EMAIL PROTECTED]:~> netstat -tan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address   Foreign Address  State
tcp0  0 0.0.0.0:32771   0.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:4   0.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:32772   0.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:110 0.0.0.0:*   LISTEN
tcp0  0 127.0.0.1:783   0.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:111 0.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:80  0.0.0.0:*   LISTEN
tcp0  0 217.77.32.186:530.0.0.0:*   LISTEN
tcp0  0 127.0.0.1:530.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:22  0.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:54320.0.0.0:*   LISTEN
tcp0  0 0.0.0.0:25  0.0.0.0:*   LISTEN
tcp0  0 127.0.0.1:953   0.0.0.0:*   LISTEN
tcp0  0 217.77.32.186:2280.213.253.77:32782 ESTABLISHED
tcp0  0 217.77.32.186:2280.213.253.77:33738 ESTABLISHED
tcp0272 217.77.32.186:2280.213.253.77:32778 ESTABLISHED

217.77.32.186 is my server, the machine that is in trouble, and 
80.213.253.77 is the current IP of my workstation. There are 
connections now and then, but nothing unnatural, and nothing that can 
account for that there aren't variations... 

Most of the listening ports are actually firewalled off from the world:
(The 1654 ports scanned but not shown below are in state: filtered)
PORTSTATE SERVICE
4/tcp   open  unknown
22/tcp  open  ssh
25/tcp  open  smtp
80/tcp  open  http
110/tcp open  pop3

(port 4 is SFS, which is in Debian, nmap should perhaps be told...?) 
The filtered ports should drop packets. 

In addition to the occasional netstat, I'm looking closely with 
ksysguard. There is a ksysguardd running at the remote machine, which 
is giving me the data. It is all in agreement with what netstat says, 
and the data rate is in agreement to, I have verified it by going 
ifconfig twice 100 seconds apart and compare the "RX bytes:" entry.

I did a kernel upgrade yesterday, so I have even rebooted the machine, 
and since the reboot, it has according to ifconfig received something 
like 3 GiB of data. In one day... But this makes it likely that there 
isn't a local fault, I think. Also, there is little outgoing traffic.

I have no idea where all those data are going... There is certainly not 
room for them on the hard drive, unless somebody is in the box and is 
deleting stuff, and who has du and df trojanned, but then df shows the 
same as /proc/partitions I can't see anything abnormal, neither on 
the disks, in the logs, in the connections made to the machine, in the 
process table or anything... But then, I don't really know too much 
about looking... :-) 

Since my workstation is the only machine I can see that has a persistent 
connection to the server, I've investigated the possibility that 
something here is causing it. But there is little outgoing traffic 
here, so it seems extremely unlikely. 

I think it looks like something is throwing packets at me, and doesn't 
care what happens to them... However, then I would think the packets 
were thrown at an open port, because I would think that since IPtables 
would drop the packets, it would show up in the statistics as dropped, 
and it isn't.

Or, is it possible that the statistics is simply wrong: There are no 
data being thrown at me? 

I've briefly talked with my hosting company, and they've got a good 
Linux guy there, but he was too busy to help me now. If I haven't 
allready, I'm afraid I'll hit my 10 GB/month quota very soon now. I 
really don't want that to happen, especially if it isn't my fault that 
this is happening. 

I run AIDE, and I run chkrootkit occasionally. I've gone through the 
auto-setup of a backport of Snort, but it has never actually told me 
anything, so I suppose it isn't really configured. I'm trying a Nessus 
attack against the poor box now, but it is very slow... 

Thanks for reading this far, and, well, your ideas on what I can do 
would be much appreciated. 

Best,

Kjetil
- -- 
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski