Re: Large, constant incoming traffic
On tirsdag 18. mai 2004, 14:17, Javier Fernández-Sanguino Peña wrote: > On Thu, May 13, 2004 at 09:02:45PM +0200, Kjetil Kjernsmo wrote: > > Hm, chkrootkit says that eth0 is not promiscuous... And as I said, > > I don't think I ever got Snort to work right... :-) > > Are you sure that's not a bug in chkrootkit (false negative)? No idea! :-) > It seems that chkrookit (since 0.42b-1) fixed this, from the > changelog: * ifpromisc now parses /proc/net/packet so that it can > provide better diagnostics. (forwarded patch upstream) (closes: > #214990) > > But you would not see that if you are running stable (no backports) > and linux 2.4 I'm using a backport of chkrootkit, specifically Norbert's, it says: chkrootkit version 0.43 But for all I know "better diagnostics" doesn't really imply that it can't be a false negative... BTW, the traffic has just seized, so my ISP has apparently been able to pin it down. I have sent them a message asking what happened, but haven't got a response. I really feel like sending the people responsible for this machine an invoice for two days of consultancy, that's the real cost for me. People need to realize that damage inflicted on others is also a part of Windows TCO... At least to see what happens. Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Large, constant incoming traffic
On Thu, May 13, 2004 at 05:52:36PM +0200, Kjetil Kjernsmo wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi all! > > In turn to you with a bit of desperation now. It feels like I'm under (...) > And I can't for the life of me figure out where it's coming from... (...) I know the issue is solved now, but, besides tcpdump and ethereal (mentioned already) you might want to use iptraf or ntop in order to obtain good statistics of the network (by IP address, by port...) and detect the culprit sooner. Just my 2c. Javier signature.asc Description: Digital signature
Re: Large, constant incoming traffic
On Thu, May 13, 2004 at 09:02:45PM +0200, Kjetil Kjernsmo wrote: > > Hm, chkrootkit says that eth0 is not promiscuous... And as I said, I > don't think I ever got Snort to work right... :-) Are you sure that's not a bug in chkrootkit (false negative)? I introduced a change in the Tiger [1] due to chkrootkit's ifpromisc check not handling properly the situation in linux 2.4 and up. From the CVS: "This only concerns Linux and kernel version 2.4 and up. The ancient "problem" with promiscuous mode detection lies in the fact the SIOCGIFFLAGS ioctl sets a flag called IFF_PROMISC. This flag is read by ifconfig and for instance Chkrootkit's ifpromisc. However, libpcap/libnet applications use setsockopt's MR_PACKET_PROMISC which is a counter. This counter cannot be read by ifconfig nor ifpromisc. The only viable alternative is to rely on the /sbin/ip binary from Alexey Kutzenov's "iproute2" package." It seems that chkrookit (since 0.42b-1) fixed this, from the changelog: * ifpromisc now parses /proc/net/packet so that it can provide better diagnostics. (forwarded patch upstream) (closes: #214990) But you would not see that if you are running stable (no backports) and linux 2.4 Just FYI Regards Javier [1] http://savannah.nongnu.org/cgi-bin/viewcvs/tiger/tiger/scripts/check_known signature.asc Description: Digital signature
Re: Large, constant incoming traffic
On tirsdag 18. mai 2004, 14:17, Javier Fernández-Sanguino Peña wrote: > On Thu, May 13, 2004 at 09:02:45PM +0200, Kjetil Kjernsmo wrote: > > Hm, chkrootkit says that eth0 is not promiscuous... And as I said, > > I don't think I ever got Snort to work right... :-) > > Are you sure that's not a bug in chkrootkit (false negative)? No idea! :-) > It seems that chkrookit (since 0.42b-1) fixed this, from the > changelog: * ifpromisc now parses /proc/net/packet so that it can > provide better diagnostics. (forwarded patch upstream) (closes: > #214990) > > But you would not see that if you are running stable (no backports) > and linux 2.4 I'm using a backport of chkrootkit, specifically Norbert's, it says: chkrootkit version 0.43 But for all I know "better diagnostics" doesn't really imply that it can't be a false negative... BTW, the traffic has just seized, so my ISP has apparently been able to pin it down. I have sent them a message asking what happened, but haven't got a response. I really feel like sending the people responsible for this machine an invoice for two days of consultancy, that's the real cost for me. People need to realize that damage inflicted on others is also a part of Windows TCO... At least to see what happens. Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Large, constant incoming traffic
On Thu, May 13, 2004 at 05:52:36PM +0200, Kjetil Kjernsmo wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi all! > > In turn to you with a bit of desperation now. It feels like I'm under (...) > And I can't for the life of me figure out where it's coming from... (...) I know the issue is solved now, but, besides tcpdump and ethereal (mentioned already) you might want to use iptraf or ntop in order to obtain good statistics of the network (by IP address, by port...) and detect the culprit sooner. Just my 2c. Javier signature.asc Description: Digital signature
Re: Large, constant incoming traffic
On Thu, May 13, 2004 at 09:02:45PM +0200, Kjetil Kjernsmo wrote: > > Hm, chkrootkit says that eth0 is not promiscuous... And as I said, I > don't think I ever got Snort to work right... :-) Are you sure that's not a bug in chkrootkit (false negative)? I introduced a change in the Tiger [1] due to chkrootkit's ifpromisc check not handling properly the situation in linux 2.4 and up. From the CVS: "This only concerns Linux and kernel version 2.4 and up. The ancient "problem" with promiscuous mode detection lies in the fact the SIOCGIFFLAGS ioctl sets a flag called IFF_PROMISC. This flag is read by ifconfig and for instance Chkrootkit's ifpromisc. However, libpcap/libnet applications use setsockopt's MR_PACKET_PROMISC which is a counter. This counter cannot be read by ifconfig nor ifpromisc. The only viable alternative is to rely on the /sbin/ip binary from Alexey Kutzenov's "iproute2" package." It seems that chkrookit (since 0.42b-1) fixed this, from the changelog: * ifpromisc now parses /proc/net/packet so that it can provide better diagnostics. (forwarded patch upstream) (closes: #214990) But you would not see that if you are running stable (no backports) and linux 2.4 Just FYI Regards Javier [1] http://savannah.nongnu.org/cgi-bin/viewcvs/tiger/tiger/scripts/check_known signature.asc Description: Digital signature
Re: Large, constant incoming traffic
On torsdag 13. mai 2004, 22:10, Florian Weimer wrote: > * Kjetil Kjernsmo: > > Oh, I see. But one thing I do not understand, it doesn't seem like > > this traffic is directed at me, since it's not my address that's > > the destination...? Are they routing their traffic through me or > > something? > > It's some odd switch-router whose forwarding table is overflown by > Slammer, and it switches to broadcast mode. Or something like that. > > Have you been able to contact anyone at Easynet? Yup, I finally had a chat with someone there, but he wasn't the network guy, though. But what he said was that the server had been moved out of their network long ago, and they hadn't really an idea where the box was broadcasting from Not that I understand it, but I was told to call tomorrow morning an talk with the network guy, he had noticed some abnormal activity, but not seen as much as I had. But we should be able to track it down together. But I think we've found out what it was, yes! Thanks a lot folks! Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Large, constant incoming traffic
* Kjetil Kjernsmo: > Oh, I see. But one thing I do not understand, it doesn't seem like this > traffic is directed at me, since it's not my address that's the > destination...? Are they routing their traffic through me or something? It's some odd switch-router whose forwarding table is overflown by Slammer, and it switches to broadcast mode. Or something like that. Have you been able to contact anyone at Easynet? -- Current mail filters: many dial-up/DSL/cable modem hosts, and the following domains: atlas.cz, bigpond.com, di-ve.com, hotmail.com, jumpy.it, libero.it, netscape.net, postino.it, simplesnet.pt, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr, yahoo.com.
Re: Large, constant incoming traffic
On torsdag 13. mai 2004, 20:37, Gian Piero Carrubba wrote: > Il gio, 2004-05-13 alle 19:53, Kjetil Kjernsmo ha scritto: > > [...] > > > 19:41:32.083993 217.77.34.162.2090 > 226.58.55.41.1434: udp 376 > > [ttl 1] 19:41:32.192344 217.77.34.162.2090 > 234.247.236.46.1434: > > udp 376 [ttl 1] > > A switched lan, I see ;) Hehe, it doesn't mean so much to me right now, but a Google will educate... > It can be slammer [1] (if so, I guess why the ISP tech is so busy :) Yeah, it seems consensus about that... > As you run snort, the eth is probably in promiscuous mode. I think > this is the reason you see ifconfig counter increasing (though the > packets aren't leading to your server). This and a non-switched lan, > of course. Hm, chkrootkit says that eth0 is not promiscuous... And as I said, I don't think I ever got Snort to work right... :-) Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Large, constant incoming traffic
Il gio, 2004-05-13 alle 19:53, Kjetil Kjernsmo ha scritto: [...] > 19:41:32.083993 217.77.34.162.2090 > 226.58.55.41.1434: udp 376 [ttl 1] > 19:41:32.192344 217.77.34.162.2090 > 234.247.236.46.1434: udp 376 [ttl > 1] A switched lan, I see ;) It can be slammer [1] (if so, I guess why the ISP tech is so busy :) As you run snort, the eth is probably in promiscuous mode. I think this is the reason you see ifconfig counter increasing (though the packets aren't leading to your server). This and a non-switched lan, of course. Ciao, Gian Piero. [1] http://enterprisesecurity.symantec.com/content.cfm?articleid=3261&EID=0
Re: Large, constant incoming traffic
On torsdag 13. mai 2004, 20:15, Lars Ellenberg wrote: > > 19:41:29.675637 217.77.34.162.2090 > 234.195.198.113.1434: udp 376 > > [ttl 1] > > ok, chances are that 217.77.34.162 runs an unpatches MS-SQL server, > was infected, and now tries to compromise the world, and its own > subnet, where you happen to be in. Oh, I see. But one thing I do not understand, it doesn't seem like this traffic is directed at me, since it's not my address that's the destination...? Are they routing their traffic through me or something? > iirc there has been some worm targetting Microsoft SQL server early > 2003, maybe it is still active sometimes, maybe there is a new one. OK. I tried nmap -O 217.77.34.162 but got nothing. I have found that they are running IIS on their web server though. And I can't find any hosts in that company's netblock. > > you are "safe", but this should show in some "DROP" or "REJECT" > statistics. have a look at the output of "iptables -vnL" OK. Very little there... It is not very detailed, since I'm using -P, is that a Bad Idea? This is what it says: Chain INPUT (policy DROP 157K packets, 10M bytes) That's still nowhere near the total amount of data I've been getting. There's of course a lot more, but nothing that seems relevant. BTW, would I have anything to loose by going iptables -I INPUT -i eth0 -s 217.77.34.162 -j REJECT > you want to tell the guy responsible for 217.77.34.162, and the > hostmaster at easynet.no, that they have a compromised machine, and > should take it offline. Hm, OK, but I need to feel a little more certain about what's going on... Given I find no signs that the machine is actually up, and that I still don't understand the traffic pattern, > and that you want them to pay for the traffic they are causing you. Well, it is more the time I've been wasting, I spent almost two full days, in a very critical period... But I do not expect to be charged for the bandwidth, no... Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Large, constant incoming traffic
On Thu, May 13, 2004 at 07:53:33PM +0200, Kjetil Kjernsmo wrote: > 19:41:32.083993 217.77.34.162.2090 > 226.58.55.41.1434: udp 376 [ttl 1] > 19:41:32.192344 217.77.34.162.2090 > 234.247.236.46.1434: udp 376 [ttl > 1] > > M, I don't know what machine 217.77.34.162 is, but I wouldn't be > surprised if it sits in the same server room as my box... Does this > tell you anything. Look like the SQL/Slammer worm. It targets UDP port 1434 (MS-SQL servers listen there), consists of single packets that are 376 byte in size and causes much traffic. Seems like the machine at 217.77.34.162 is infected, so not much you can do to stop this packet flood. May try to contact the server admin and convince him to reboot and patch the MS-SQL server. Or ask your provider to block incoming packets on this port for your server. Some sites with more information about this worm: http://www.f-secure.com/v-descs/mssqlm.shtml http://vil.nai.com/vil/content/v_2.htm http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html http://www.viruslist.com/eng/viruslist.html?id=59159 HTH, Michel -- Michel Messerschmidt [EMAIL PROTECTED] antiVirusTestCenter, Computer Science, University of Hamburg
Re: Large, constant incoming traffic
On torsdag 13. mai 2004, 22:10, Florian Weimer wrote: > * Kjetil Kjernsmo: > > Oh, I see. But one thing I do not understand, it doesn't seem like > > this traffic is directed at me, since it's not my address that's > > the destination...? Are they routing their traffic through me or > > something? > > It's some odd switch-router whose forwarding table is overflown by > Slammer, and it switches to broadcast mode. Or something like that. > > Have you been able to contact anyone at Easynet? Yup, I finally had a chat with someone there, but he wasn't the network guy, though. But what he said was that the server had been moved out of their network long ago, and they hadn't really an idea where the box was broadcasting from Not that I understand it, but I was told to call tomorrow morning an talk with the network guy, he had noticed some abnormal activity, but not seen as much as I had. But we should be able to track it down together. But I think we've found out what it was, yes! Thanks a lot folks! Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Large, constant incoming traffic
/ 2004-05-13 19:53:33 +0200 \ Kjetil Kjernsmo: > On torsdag 13. mai 2004, 19:32, Robert Jakubowski wrote: > > The best way to see what is going on is to dump the traffic to a file > > and analyse it. Tcpdump and ethereal are great tools for that > > purpose. > > Great! Reagan Blundell also told me about them offline. > > > Ethereal will make the job easier and should give you a > > clue. If you are affraid the server has been compromised you have to > > use another computer to get reliable information. I don't know your > > network setup and what you have at disposal. If it is cable/DSL you > > could connect your server through a hub, hook up the other computer > > to the hub and do the dump (you may have to use a crossover cable > > between the modem and the hub). > > Yup. It's in server hosting at a provider, and I don't have physical > access there... So, I have no option but to do it remotely (or perhaps I > could if eth0 was promiscuous, but it isn't?). > > Anyway, what I see in tcpdump after filtering out my own ssh traffic, > and some DNS traffic (which might have something to do with it, but > makes a lot of noise), I see (easynet.no is my provider): > > 19:41:29.459644 217.77.34.162.2090 > 226.122.204.181.1434: udp 376 [ttl > 1] > 19:41:29.565792 arp who-has 217.77.32.171 tell core-1-e2.easynet.no > 19:41:29.675637 217.77.34.162.2090 > 234.195.198.113.1434: udp 376 [ttl 1] ok, chances are that 217.77.34.162 runs an unpatches MS-SQL server, was infected, and now tries to compromise the world, and its own subnet, where you happen to be in. iirc there has been some worm targetting Microsoft SQL server early 2003, maybe it is still active sometimes, maybe there is a new one. you are "safe", but this should show in some "DROP" or "REJECT" statistics. have a look at the output of "iptables -vnL" you want to tell the guy responsible for 217.77.34.162, and the hostmaster at easynet.no, that they have a compromised machine, and should take it offline. and that you want them to pay for the traffic they are causing you. Lars Ellenberg
Re: Large, constant incoming traffic
* Kjetil Kjernsmo: > Oh, I see. But one thing I do not understand, it doesn't seem like this > traffic is directed at me, since it's not my address that's the > destination...? Are they routing their traffic through me or something? It's some odd switch-router whose forwarding table is overflown by Slammer, and it switches to broadcast mode. Or something like that. Have you been able to contact anyone at Easynet? -- Current mail filters: many dial-up/DSL/cable modem hosts, and the following domains: atlas.cz, bigpond.com, di-ve.com, hotmail.com, jumpy.it, libero.it, netscape.net, postino.it, simplesnet.pt, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr, yahoo.com. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Large, constant incoming traffic
On torsdag 13. mai 2004, 19:32, Robert Jakubowski wrote: > The best way to see what is going on is to dump the traffic to a file > and analyse it. Tcpdump and ethereal are great tools for that > purpose. Great! Reagan Blundell also told me about them offline. > Ethereal will make the job easier and should give you a > clue. If you are affraid the server has been compromised you have to > use another computer to get reliable information. I don't know your > network setup and what you have at disposal. If it is cable/DSL you > could connect your server through a hub, hook up the other computer > to the hub and do the dump (you may have to use a crossover cable > between the modem and the hub). Yup. It's in server hosting at a provider, and I don't have physical access there... So, I have no option but to do it remotely (or perhaps I could if eth0 was promiscuous, but it isn't?). Anyway, what I see in tcpdump after filtering out my own ssh traffic, and some DNS traffic (which might have something to do with it, but makes a lot of noise), I see (easynet.no is my provider): 19:41:29.459644 217.77.34.162.2090 > 226.122.204.181.1434: udp 376 [ttl 1] 19:41:29.565792 arp who-has 217.77.32.171 tell core-1-e2.easynet.no 19:41:29.675637 217.77.34.162.2090 > 234.195.198.113.1434: udp 376 [ttl 1] 19:41:29.786000 217.77.34.162.2090 > 226.210.233.101.1434: udp 376 [ttl 1] 19:41:30.013227 217.77.34.162.2090 > 226.115.252.196.1434: udp 376 [ttl 1] 19:41:30.120437 217.77.34.162.2090 > 234.221.95.51.1434: udp 376 [ttl 1] 19:41:30.449589 217.77.34.162.2090 > 226.53.242.62.1434: udp 376 [ttl 1] 19:41:30.556784 217.77.34.162.2090 > 234.225.213.78.1434: udp 376 [ttl 1] 19:41:30.563271 arp who-has 217.77.32.171 tell core-1-e2.easynet.no 19:41:30.683433 arp who-has 217.77.34.95 tell core-1-e3.easynet.no 19:41:30.773817 217.77.34.162.2090 > 226.95.50.32.1434: udp 376 [ttl 1] 19:41:30.800550 pooh.kjernsmo.net.39441 > www.easynet.no.domain: 6695+ PTR? 78.79.65.194.in-addr.arpa. (43) (DF) 19:41:30.884041 217.77.34.162.2090 > 234.111.203.166.1434: udp 376 [ttl 1] 19:41:31.212205 217.77.34.162.2090 > 234.209.110.68.1434: udp 376 [ttl 1] 19:41:31.321424 www.easynet.no.domain > pooh.kjernsmo.net.39445: 61615 1/2/0 (106) (DF) 19:41:31.429747 217.77.34.162.2090 > 226.20.247.203.1434: udp 376 [ttl 1] 19:41:31.563113 arp who-has 217.77.32.171 tell core-1-e2.easynet.no 19:41:31.648080 217.77.34.162.2090 > 234.191.213.120.1434: udp 376 [ttl 1] 19:41:31.683087 arp who-has 217.77.34.95 tell core-1-e3.easynet.no 19:41:31.755080 217.77.34.162.2090 > 234.234.114.255.1434: udp 376 [ttl 1] 19:41:31.973809 217.77.34.162.2090 > 226.44.34.125.1434: udp 376 [ttl 1] 19:41:32.083993 217.77.34.162.2090 > 226.58.55.41.1434: udp 376 [ttl 1] 19:41:32.192344 217.77.34.162.2090 > 234.247.236.46.1434: udp 376 [ttl 1] M, I don't know what machine 217.77.34.162 is, but I wouldn't be surprised if it sits in the same server room as my box... Does this tell you anything. Thanks a lot for the help! Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC
Re: Large, constant incoming traffic
Kjetil Kjernsmo wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all! In turn to you with a bit of desperation now. It feels like I'm under some kind of attack. Maybe I've even been compromised. The last few days, I've experienced an insane and constant amount of incoming traffic. I'm not sure how long it has lasted, but I would think 3-4 days, and it is constant at 260 kB/s. It varies very little from that number, perhaps down to 255 sometimes, and sometimes up to 265, but essentially, it changes very little over time, at least over an interval of a couple of seconds. And I can't for the life of me figure out where it's coming from... This is what netstat says: [EMAIL PROTECTED]:~> netstat -tan Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp0 0 0.0.0.0:32771 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:4 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:32772 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:110 0.0.0.0:* LISTEN tcp0 0 127.0.0.1:783 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp0 0 217.77.32.186:530.0.0.0:* LISTEN tcp0 0 127.0.0.1:530.0.0.0:* LISTEN tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:54320.0.0.0:* LISTEN tcp0 0 0.0.0.0:25 0.0.0.0:* LISTEN tcp0 0 127.0.0.1:953 0.0.0.0:* LISTEN tcp0 0 217.77.32.186:2280.213.253.77:32782 ESTABLISHED tcp0 0 217.77.32.186:2280.213.253.77:33738 ESTABLISHED tcp0272 217.77.32.186:2280.213.253.77:32778 ESTABLISHED 217.77.32.186 is my server, the machine that is in trouble, and 80.213.253.77 is the current IP of my workstation. There are connections now and then, but nothing unnatural, and nothing that can account for that there aren't variations... Most of the listening ports are actually firewalled off from the world: (The 1654 ports scanned but not shown below are in state: filtered) PORTSTATE SERVICE 4/tcp open unknown 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop3 hi kjetil! please start up tcpdump and/or ethereal and check what kind of packages there are going ... and the best would be, to do so on a "probe" in the network. if u need help about this, ask! regards, mike -- _ TGM / it-service (o-A-1200 Wien, Wexstr. 19-23 //\tel. +43-1-33126-316fax. +43-1-33126-154 v_/email: [EMAIL PROTECTED]trap: [EMAIL PROTECTED]
Re: Large, constant incoming traffic
The best way to see what is going on is to dump the traffic to a file and analyse it. Tcpdump and ethereal are great tools for that purpose. Ethereal will make the job easier and should give you a clue. If you are affraid the server has been compromised you have to use another computer to get reliable information. I don't know your network setup and what you have at disposal. If it is cable/DSL you could connect your server through a hub, hook up the other computer to the hub and do the dump (you may have to use a crossover cable between the modem and the hub). HTH Robert J. Kjetil Kjernsmo said: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi all! > > In turn to you with a bit of desperation now. It feels like I'm under > some kind of attack. Maybe I've even been compromised. The last few > days, I've experienced an insane and constant amount of incoming > traffic. I'm not sure how long it has lasted, but I would think 3-4 > days, and it is constant at 260 kB/s. It varies very little from that > number, perhaps down to 255 sometimes, and sometimes up to 265, but > essentially, it changes very little over time, at least over an > interval of a couple of seconds. > > And I can't for the life of me figure out where it's coming from... > This is what netstat says: > [EMAIL PROTECTED]:~> netstat -tan > Active Internet connections (servers and established) > Proto Recv-Q Send-Q Local Address Foreign Address State > tcp0 0 0.0.0.0:32771 0.0.0.0:* LISTEN > tcp0 0 0.0.0.0:4 0.0.0.0:* LISTEN > tcp0 0 0.0.0.0:32772 0.0.0.0:* LISTEN > tcp0 0 0.0.0.0:110 0.0.0.0:* LISTEN > tcp0 0 127.0.0.1:783 0.0.0.0:* LISTEN > tcp0 0 0.0.0.0:111 0.0.0.0:* LISTEN > tcp0 0 0.0.0.0:80 0.0.0.0:* LISTEN > tcp0 0 217.77.32.186:530.0.0.0:* LISTEN > tcp0 0 127.0.0.1:530.0.0.0:* LISTEN > tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN > tcp0 0 0.0.0.0:54320.0.0.0:* LISTEN > tcp0 0 0.0.0.0:25 0.0.0.0:* LISTEN > tcp0 0 127.0.0.1:953 0.0.0.0:* LISTEN > tcp0 0 217.77.32.186:2280.213.253.77:32782 ESTABLISHED > tcp0 0 217.77.32.186:2280.213.253.77:33738 ESTABLISHED > tcp0272 217.77.32.186:2280.213.253.77:32778 ESTABLISHED > > 217.77.32.186 is my server, the machine that is in trouble, and > 80.213.253.77 is the current IP of my workstation. There are > connections now and then, but nothing unnatural, and nothing that can > account for that there aren't variations... > > Most of the listening ports are actually firewalled off from the world: > (The 1654 ports scanned but not shown below are in state: filtered) > PORTSTATE SERVICE > 4/tcp open unknown > 22/tcp open ssh > 25/tcp open smtp > 80/tcp open http > 110/tcp open pop3 > > (port 4 is SFS, which is in Debian, nmap should perhaps be told...?) > The filtered ports should drop packets. > > In addition to the occasional netstat, I'm looking closely with > ksysguard. There is a ksysguardd running at the remote machine, which > is giving me the data. It is all in agreement with what netstat says, > and the data rate is in agreement to, I have verified it by going > ifconfig twice 100 seconds apart and compare the "RX bytes:" entry. > > I did a kernel upgrade yesterday, so I have even rebooted the machine, > and since the reboot, it has according to ifconfig received something > like 3 GiB of data. In one day... But this makes it likely that there > isn't a local fault, I think. Also, there is little outgoing traffic. > > I have no idea where all those data are going... There is certainly not > room for them on the hard drive, unless somebody is in the box and is > deleting stuff, and who has du and df trojanned, but then df shows the > same as /proc/partitions I can't see anything abnormal, neither on > the disks, in the logs, in the connections made to the machine, in the > process table or anything... But then, I don't really know too much > about looking... :-) > > Since my workstation is the only machine I can see that has a persistent > connection to the server, I've investigated the possibility that > something here is causing it. But there is little outgoing traffic > here, so it seems extremely unlikely. > > I think it looks like something is throwing packets at me, and doesn't > care what happens to them... However, then I would think the packets > were thrown at an open port, because I would think that since IPtables > would drop the packets, it would show up in the statistics as dropped, > and it isn't. > > Or, is it possible that the statistics is simply wrong: There are no > data being thrown at me? > > I've briefl
Re: Large, constant incoming traffic
On torsdag 13. mai 2004, 20:37, Gian Piero Carrubba wrote: > Il gio, 2004-05-13 alle 19:53, Kjetil Kjernsmo ha scritto: > > [...] > > > 19:41:32.083993 217.77.34.162.2090 > 226.58.55.41.1434: udp 376 > > [ttl 1] 19:41:32.192344 217.77.34.162.2090 > 234.247.236.46.1434: > > udp 376 [ttl 1] > > A switched lan, I see ;) Hehe, it doesn't mean so much to me right now, but a Google will educate... > It can be slammer [1] (if so, I guess why the ISP tech is so busy :) Yeah, it seems consensus about that... > As you run snort, the eth is probably in promiscuous mode. I think > this is the reason you see ifconfig counter increasing (though the > packets aren't leading to your server). This and a non-switched lan, > of course. Hm, chkrootkit says that eth0 is not promiscuous... And as I said, I don't think I ever got Snort to work right... :-) Cheers, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Large, constant incoming traffic
Il gio, 2004-05-13 alle 19:53, Kjetil Kjernsmo ha scritto: [...] > 19:41:32.083993 217.77.34.162.2090 > 226.58.55.41.1434: udp 376 [ttl 1] > 19:41:32.192344 217.77.34.162.2090 > 234.247.236.46.1434: udp 376 [ttl > 1] A switched lan, I see ;) It can be slammer [1] (if so, I guess why the ISP tech is so busy :) As you run snort, the eth is probably in promiscuous mode. I think this is the reason you see ifconfig counter increasing (though the packets aren't leading to your server). This and a non-switched lan, of course. Ciao, Gian Piero. [1] http://enterprisesecurity.symantec.com/content.cfm?articleid=3261&EID=0 -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Large, constant incoming traffic
On torsdag 13. mai 2004, 20:15, Lars Ellenberg wrote: > > 19:41:29.675637 217.77.34.162.2090 > 234.195.198.113.1434: udp 376 > > [ttl 1] > > ok, chances are that 217.77.34.162 runs an unpatches MS-SQL server, > was infected, and now tries to compromise the world, and its own > subnet, where you happen to be in. Oh, I see. But one thing I do not understand, it doesn't seem like this traffic is directed at me, since it's not my address that's the destination...? Are they routing their traffic through me or something? > iirc there has been some worm targetting Microsoft SQL server early > 2003, maybe it is still active sometimes, maybe there is a new one. OK. I tried nmap -O 217.77.34.162 but got nothing. I have found that they are running IIS on their web server though. And I can't find any hosts in that company's netblock. > > you are "safe", but this should show in some "DROP" or "REJECT" > statistics. have a look at the output of "iptables -vnL" OK. Very little there... It is not very detailed, since I'm using -P, is that a Bad Idea? This is what it says: Chain INPUT (policy DROP 157K packets, 10M bytes) That's still nowhere near the total amount of data I've been getting. There's of course a lot more, but nothing that seems relevant. BTW, would I have anything to loose by going iptables -I INPUT -i eth0 -s 217.77.34.162 -j REJECT > you want to tell the guy responsible for 217.77.34.162, and the > hostmaster at easynet.no, that they have a compromised machine, and > should take it offline. Hm, OK, but I need to feel a little more certain about what's going on... Given I find no signs that the machine is actually up, and that I still don't understand the traffic pattern, > and that you want them to pay for the traffic they are causing you. Well, it is more the time I've been wasting, I spent almost two full days, in a very critical period... But I do not expect to be charged for the bandwidth, no... Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Large, constant incoming traffic
On Thu, May 13, 2004 at 07:53:33PM +0200, Kjetil Kjernsmo wrote: > 19:41:32.083993 217.77.34.162.2090 > 226.58.55.41.1434: udp 376 [ttl 1] > 19:41:32.192344 217.77.34.162.2090 > 234.247.236.46.1434: udp 376 [ttl > 1] > > M, I don't know what machine 217.77.34.162 is, but I wouldn't be > surprised if it sits in the same server room as my box... Does this > tell you anything. Look like the SQL/Slammer worm. It targets UDP port 1434 (MS-SQL servers listen there), consists of single packets that are 376 byte in size and causes much traffic. Seems like the machine at 217.77.34.162 is infected, so not much you can do to stop this packet flood. May try to contact the server admin and convince him to reboot and patch the MS-SQL server. Or ask your provider to block incoming packets on this port for your server. Some sites with more information about this worm: http://www.f-secure.com/v-descs/mssqlm.shtml http://vil.nai.com/vil/content/v_2.htm http://securityresponse.symantec.com/avcenter/venc/data/w32.sqlexp.worm.html http://www.viruslist.com/eng/viruslist.html?id=59159 HTH, Michel -- Michel Messerschmidt [EMAIL PROTECTED] antiVirusTestCenter, Computer Science, University of Hamburg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Large, constant incoming traffic
/ 2004-05-13 19:53:33 +0200 \ Kjetil Kjernsmo: > On torsdag 13. mai 2004, 19:32, Robert Jakubowski wrote: > > The best way to see what is going on is to dump the traffic to a file > > and analyse it. Tcpdump and ethereal are great tools for that > > purpose. > > Great! Reagan Blundell also told me about them offline. > > > Ethereal will make the job easier and should give you a > > clue. If you are affraid the server has been compromised you have to > > use another computer to get reliable information. I don't know your > > network setup and what you have at disposal. If it is cable/DSL you > > could connect your server through a hub, hook up the other computer > > to the hub and do the dump (you may have to use a crossover cable > > between the modem and the hub). > > Yup. It's in server hosting at a provider, and I don't have physical > access there... So, I have no option but to do it remotely (or perhaps I > could if eth0 was promiscuous, but it isn't?). > > Anyway, what I see in tcpdump after filtering out my own ssh traffic, > and some DNS traffic (which might have something to do with it, but > makes a lot of noise), I see (easynet.no is my provider): > > 19:41:29.459644 217.77.34.162.2090 > 226.122.204.181.1434: udp 376 [ttl > 1] > 19:41:29.565792 arp who-has 217.77.32.171 tell core-1-e2.easynet.no > 19:41:29.675637 217.77.34.162.2090 > 234.195.198.113.1434: udp 376 [ttl 1] ok, chances are that 217.77.34.162 runs an unpatches MS-SQL server, was infected, and now tries to compromise the world, and its own subnet, where you happen to be in. iirc there has been some worm targetting Microsoft SQL server early 2003, maybe it is still active sometimes, maybe there is a new one. you are "safe", but this should show in some "DROP" or "REJECT" statistics. have a look at the output of "iptables -vnL" you want to tell the guy responsible for 217.77.34.162, and the hostmaster at easynet.no, that they have a compromised machine, and should take it offline. and that you want them to pay for the traffic they are causing you. Lars Ellenberg -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Large, constant incoming traffic
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all! In turn to you with a bit of desperation now. It feels like I'm under some kind of attack. Maybe I've even been compromised. The last few days, I've experienced an insane and constant amount of incoming traffic. I'm not sure how long it has lasted, but I would think 3-4 days, and it is constant at 260 kB/s. It varies very little from that number, perhaps down to 255 sometimes, and sometimes up to 265, but essentially, it changes very little over time, at least over an interval of a couple of seconds. And I can't for the life of me figure out where it's coming from... This is what netstat says: [EMAIL PROTECTED]:~> netstat -tan Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp0 0 0.0.0.0:32771 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:4 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:32772 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:110 0.0.0.0:* LISTEN tcp0 0 127.0.0.1:783 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp0 0 217.77.32.186:530.0.0.0:* LISTEN tcp0 0 127.0.0.1:530.0.0.0:* LISTEN tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:54320.0.0.0:* LISTEN tcp0 0 0.0.0.0:25 0.0.0.0:* LISTEN tcp0 0 127.0.0.1:953 0.0.0.0:* LISTEN tcp0 0 217.77.32.186:2280.213.253.77:32782 ESTABLISHED tcp0 0 217.77.32.186:2280.213.253.77:33738 ESTABLISHED tcp0272 217.77.32.186:2280.213.253.77:32778 ESTABLISHED 217.77.32.186 is my server, the machine that is in trouble, and 80.213.253.77 is the current IP of my workstation. There are connections now and then, but nothing unnatural, and nothing that can account for that there aren't variations... Most of the listening ports are actually firewalled off from the world: (The 1654 ports scanned but not shown below are in state: filtered) PORTSTATE SERVICE 4/tcp open unknown 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop3 (port 4 is SFS, which is in Debian, nmap should perhaps be told...?) The filtered ports should drop packets. In addition to the occasional netstat, I'm looking closely with ksysguard. There is a ksysguardd running at the remote machine, which is giving me the data. It is all in agreement with what netstat says, and the data rate is in agreement to, I have verified it by going ifconfig twice 100 seconds apart and compare the "RX bytes:" entry. I did a kernel upgrade yesterday, so I have even rebooted the machine, and since the reboot, it has according to ifconfig received something like 3 GiB of data. In one day... But this makes it likely that there isn't a local fault, I think. Also, there is little outgoing traffic. I have no idea where all those data are going... There is certainly not room for them on the hard drive, unless somebody is in the box and is deleting stuff, and who has du and df trojanned, but then df shows the same as /proc/partitions I can't see anything abnormal, neither on the disks, in the logs, in the connections made to the machine, in the process table or anything... But then, I don't really know too much about looking... :-) Since my workstation is the only machine I can see that has a persistent connection to the server, I've investigated the possibility that something here is causing it. But there is little outgoing traffic here, so it seems extremely unlikely. I think it looks like something is throwing packets at me, and doesn't care what happens to them... However, then I would think the packets were thrown at an open port, because I would think that since IPtables would drop the packets, it would show up in the statistics as dropped, and it isn't. Or, is it possible that the statistics is simply wrong: There are no data being thrown at me? I've briefly talked with my hosting company, and they've got a good Linux guy there, but he was too busy to help me now. If I haven't allready, I'm afraid I'll hit my 10 GB/month quota very soon now. I really don't want that to happen, especially if it isn't my fault that this is happening. I run AIDE, and I run chkrootkit occasionally. I've gone through the auto-setup of a backport of Snort, but it has never actually told me anything, so I suppose it isn't really configured. I'm trying a Nessus attack against the poor box now, but it is very slow... Thanks for reading this far, and, well, your ideas on what I can do would be much appreciated. Best, Kjetil - -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski
Re: Large, constant incoming traffic
On torsdag 13. mai 2004, 19:32, Robert Jakubowski wrote: > The best way to see what is going on is to dump the traffic to a file > and analyse it. Tcpdump and ethereal are great tools for that > purpose. Great! Reagan Blundell also told me about them offline. > Ethereal will make the job easier and should give you a > clue. If you are affraid the server has been compromised you have to > use another computer to get reliable information. I don't know your > network setup and what you have at disposal. If it is cable/DSL you > could connect your server through a hub, hook up the other computer > to the hub and do the dump (you may have to use a crossover cable > between the modem and the hub). Yup. It's in server hosting at a provider, and I don't have physical access there... So, I have no option but to do it remotely (or perhaps I could if eth0 was promiscuous, but it isn't?). Anyway, what I see in tcpdump after filtering out my own ssh traffic, and some DNS traffic (which might have something to do with it, but makes a lot of noise), I see (easynet.no is my provider): 19:41:29.459644 217.77.34.162.2090 > 226.122.204.181.1434: udp 376 [ttl 1] 19:41:29.565792 arp who-has 217.77.32.171 tell core-1-e2.easynet.no 19:41:29.675637 217.77.34.162.2090 > 234.195.198.113.1434: udp 376 [ttl 1] 19:41:29.786000 217.77.34.162.2090 > 226.210.233.101.1434: udp 376 [ttl 1] 19:41:30.013227 217.77.34.162.2090 > 226.115.252.196.1434: udp 376 [ttl 1] 19:41:30.120437 217.77.34.162.2090 > 234.221.95.51.1434: udp 376 [ttl 1] 19:41:30.449589 217.77.34.162.2090 > 226.53.242.62.1434: udp 376 [ttl 1] 19:41:30.556784 217.77.34.162.2090 > 234.225.213.78.1434: udp 376 [ttl 1] 19:41:30.563271 arp who-has 217.77.32.171 tell core-1-e2.easynet.no 19:41:30.683433 arp who-has 217.77.34.95 tell core-1-e3.easynet.no 19:41:30.773817 217.77.34.162.2090 > 226.95.50.32.1434: udp 376 [ttl 1] 19:41:30.800550 pooh.kjernsmo.net.39441 > www.easynet.no.domain: 6695+ PTR? 78.79.65.194.in-addr.arpa. (43) (DF) 19:41:30.884041 217.77.34.162.2090 > 234.111.203.166.1434: udp 376 [ttl 1] 19:41:31.212205 217.77.34.162.2090 > 234.209.110.68.1434: udp 376 [ttl 1] 19:41:31.321424 www.easynet.no.domain > pooh.kjernsmo.net.39445: 61615 1/2/0 (106) (DF) 19:41:31.429747 217.77.34.162.2090 > 226.20.247.203.1434: udp 376 [ttl 1] 19:41:31.563113 arp who-has 217.77.32.171 tell core-1-e2.easynet.no 19:41:31.648080 217.77.34.162.2090 > 234.191.213.120.1434: udp 376 [ttl 1] 19:41:31.683087 arp who-has 217.77.34.95 tell core-1-e3.easynet.no 19:41:31.755080 217.77.34.162.2090 > 234.234.114.255.1434: udp 376 [ttl 1] 19:41:31.973809 217.77.34.162.2090 > 226.44.34.125.1434: udp 376 [ttl 1] 19:41:32.083993 217.77.34.162.2090 > 226.58.55.41.1434: udp 376 [ttl 1] 19:41:32.192344 217.77.34.162.2090 > 234.247.236.46.1434: udp 376 [ttl 1] M, I don't know what machine 217.77.34.162 is, but I wouldn't be surprised if it sits in the same server room as my box... Does this tell you anything. Thanks a lot for the help! Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/OpenPGP KeyID: 6A6A0BBC -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Large, constant incoming traffic
Kjetil Kjernsmo wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all! In turn to you with a bit of desperation now. It feels like I'm under some kind of attack. Maybe I've even been compromised. The last few days, I've experienced an insane and constant amount of incoming traffic. I'm not sure how long it has lasted, but I would think 3-4 days, and it is constant at 260 kB/s. It varies very little from that number, perhaps down to 255 sometimes, and sometimes up to 265, but essentially, it changes very little over time, at least over an interval of a couple of seconds. And I can't for the life of me figure out where it's coming from... This is what netstat says: [EMAIL PROTECTED]:~> netstat -tan Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp0 0 0.0.0.0:32771 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:4 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:32772 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:110 0.0.0.0:* LISTEN tcp0 0 127.0.0.1:783 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp0 0 217.77.32.186:530.0.0.0:* LISTEN tcp0 0 127.0.0.1:530.0.0.0:* LISTEN tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:54320.0.0.0:* LISTEN tcp0 0 0.0.0.0:25 0.0.0.0:* LISTEN tcp0 0 127.0.0.1:953 0.0.0.0:* LISTEN tcp0 0 217.77.32.186:2280.213.253.77:32782 ESTABLISHED tcp0 0 217.77.32.186:2280.213.253.77:33738 ESTABLISHED tcp0272 217.77.32.186:2280.213.253.77:32778 ESTABLISHED 217.77.32.186 is my server, the machine that is in trouble, and 80.213.253.77 is the current IP of my workstation. There are connections now and then, but nothing unnatural, and nothing that can account for that there aren't variations... Most of the listening ports are actually firewalled off from the world: (The 1654 ports scanned but not shown below are in state: filtered) PORTSTATE SERVICE 4/tcp open unknown 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop3 hi kjetil! please start up tcpdump and/or ethereal and check what kind of packages there are going ... and the best would be, to do so on a "probe" in the network. if u need help about this, ask! regards, mike -- _ TGM / it-service (o-A-1200 Wien, Wexstr. 19-23 //\tel. +43-1-33126-316fax. +43-1-33126-154 v_/email: [EMAIL PROTECTED]trap: [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: Large, constant incoming traffic
The best way to see what is going on is to dump the traffic to a file and analyse it. Tcpdump and ethereal are great tools for that purpose. Ethereal will make the job easier and should give you a clue. If you are affraid the server has been compromised you have to use another computer to get reliable information. I don't know your network setup and what you have at disposal. If it is cable/DSL you could connect your server through a hub, hook up the other computer to the hub and do the dump (you may have to use a crossover cable between the modem and the hub). HTH Robert J. Kjetil Kjernsmo said: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Hi all! > > In turn to you with a bit of desperation now. It feels like I'm under > some kind of attack. Maybe I've even been compromised. The last few > days, I've experienced an insane and constant amount of incoming > traffic. I'm not sure how long it has lasted, but I would think 3-4 > days, and it is constant at 260 kB/s. It varies very little from that > number, perhaps down to 255 sometimes, and sometimes up to 265, but > essentially, it changes very little over time, at least over an > interval of a couple of seconds. > > And I can't for the life of me figure out where it's coming from... > This is what netstat says: > [EMAIL PROTECTED]:~> netstat -tan > Active Internet connections (servers and established) > Proto Recv-Q Send-Q Local Address Foreign Address State > tcp0 0 0.0.0.0:32771 0.0.0.0:* LISTEN > tcp0 0 0.0.0.0:4 0.0.0.0:* LISTEN > tcp0 0 0.0.0.0:32772 0.0.0.0:* LISTEN > tcp0 0 0.0.0.0:110 0.0.0.0:* LISTEN > tcp0 0 127.0.0.1:783 0.0.0.0:* LISTEN > tcp0 0 0.0.0.0:111 0.0.0.0:* LISTEN > tcp0 0 0.0.0.0:80 0.0.0.0:* LISTEN > tcp0 0 217.77.32.186:530.0.0.0:* LISTEN > tcp0 0 127.0.0.1:530.0.0.0:* LISTEN > tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN > tcp0 0 0.0.0.0:54320.0.0.0:* LISTEN > tcp0 0 0.0.0.0:25 0.0.0.0:* LISTEN > tcp0 0 127.0.0.1:953 0.0.0.0:* LISTEN > tcp0 0 217.77.32.186:2280.213.253.77:32782 ESTABLISHED > tcp0 0 217.77.32.186:2280.213.253.77:33738 ESTABLISHED > tcp0272 217.77.32.186:2280.213.253.77:32778 ESTABLISHED > > 217.77.32.186 is my server, the machine that is in trouble, and > 80.213.253.77 is the current IP of my workstation. There are > connections now and then, but nothing unnatural, and nothing that can > account for that there aren't variations... > > Most of the listening ports are actually firewalled off from the world: > (The 1654 ports scanned but not shown below are in state: filtered) > PORTSTATE SERVICE > 4/tcp open unknown > 22/tcp open ssh > 25/tcp open smtp > 80/tcp open http > 110/tcp open pop3 > > (port 4 is SFS, which is in Debian, nmap should perhaps be told...?) > The filtered ports should drop packets. > > In addition to the occasional netstat, I'm looking closely with > ksysguard. There is a ksysguardd running at the remote machine, which > is giving me the data. It is all in agreement with what netstat says, > and the data rate is in agreement to, I have verified it by going > ifconfig twice 100 seconds apart and compare the "RX bytes:" entry. > > I did a kernel upgrade yesterday, so I have even rebooted the machine, > and since the reboot, it has according to ifconfig received something > like 3 GiB of data. In one day... But this makes it likely that there > isn't a local fault, I think. Also, there is little outgoing traffic. > > I have no idea where all those data are going... There is certainly not > room for them on the hard drive, unless somebody is in the box and is > deleting stuff, and who has du and df trojanned, but then df shows the > same as /proc/partitions I can't see anything abnormal, neither on > the disks, in the logs, in the connections made to the machine, in the > process table or anything... But then, I don't really know too much > about looking... :-) > > Since my workstation is the only machine I can see that has a persistent > connection to the server, I've investigated the possibility that > something here is causing it. But there is little outgoing traffic > here, so it seems extremely unlikely. > > I think it looks like something is throwing packets at me, and doesn't > care what happens to them... However, then I would think the packets > were thrown at an open port, because I would think that since IPtables > would drop the packets, it would show up in the statistics as dropped, > and it isn't. > > Or, is it possible that the statistics is simply wrong: There are no > data being thrown at me? > > I've briefl
Large, constant incoming traffic
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all! In turn to you with a bit of desperation now. It feels like I'm under some kind of attack. Maybe I've even been compromised. The last few days, I've experienced an insane and constant amount of incoming traffic. I'm not sure how long it has lasted, but I would think 3-4 days, and it is constant at 260 kB/s. It varies very little from that number, perhaps down to 255 sometimes, and sometimes up to 265, but essentially, it changes very little over time, at least over an interval of a couple of seconds. And I can't for the life of me figure out where it's coming from... This is what netstat says: [EMAIL PROTECTED]:~> netstat -tan Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp0 0 0.0.0.0:32771 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:4 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:32772 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:110 0.0.0.0:* LISTEN tcp0 0 127.0.0.1:783 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:80 0.0.0.0:* LISTEN tcp0 0 217.77.32.186:530.0.0.0:* LISTEN tcp0 0 127.0.0.1:530.0.0.0:* LISTEN tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp0 0 0.0.0.0:54320.0.0.0:* LISTEN tcp0 0 0.0.0.0:25 0.0.0.0:* LISTEN tcp0 0 127.0.0.1:953 0.0.0.0:* LISTEN tcp0 0 217.77.32.186:2280.213.253.77:32782 ESTABLISHED tcp0 0 217.77.32.186:2280.213.253.77:33738 ESTABLISHED tcp0272 217.77.32.186:2280.213.253.77:32778 ESTABLISHED 217.77.32.186 is my server, the machine that is in trouble, and 80.213.253.77 is the current IP of my workstation. There are connections now and then, but nothing unnatural, and nothing that can account for that there aren't variations... Most of the listening ports are actually firewalled off from the world: (The 1654 ports scanned but not shown below are in state: filtered) PORTSTATE SERVICE 4/tcp open unknown 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop3 (port 4 is SFS, which is in Debian, nmap should perhaps be told...?) The filtered ports should drop packets. In addition to the occasional netstat, I'm looking closely with ksysguard. There is a ksysguardd running at the remote machine, which is giving me the data. It is all in agreement with what netstat says, and the data rate is in agreement to, I have verified it by going ifconfig twice 100 seconds apart and compare the "RX bytes:" entry. I did a kernel upgrade yesterday, so I have even rebooted the machine, and since the reboot, it has according to ifconfig received something like 3 GiB of data. In one day... But this makes it likely that there isn't a local fault, I think. Also, there is little outgoing traffic. I have no idea where all those data are going... There is certainly not room for them on the hard drive, unless somebody is in the box and is deleting stuff, and who has du and df trojanned, but then df shows the same as /proc/partitions I can't see anything abnormal, neither on the disks, in the logs, in the connections made to the machine, in the process table or anything... But then, I don't really know too much about looking... :-) Since my workstation is the only machine I can see that has a persistent connection to the server, I've investigated the possibility that something here is causing it. But there is little outgoing traffic here, so it seems extremely unlikely. I think it looks like something is throwing packets at me, and doesn't care what happens to them... However, then I would think the packets were thrown at an open port, because I would think that since IPtables would drop the packets, it would show up in the statistics as dropped, and it isn't. Or, is it possible that the statistics is simply wrong: There are no data being thrown at me? I've briefly talked with my hosting company, and they've got a good Linux guy there, but he was too busy to help me now. If I haven't allready, I'm afraid I'll hit my 10 GB/month quota very soon now. I really don't want that to happen, especially if it isn't my fault that this is happening. I run AIDE, and I run chkrootkit occasionally. I've gone through the auto-setup of a backport of Snort, but it has never actually told me anything, so I suppose it isn't really configured. I'm trying a Nessus attack against the poor box now, but it is very slow... Thanks for reading this far, and, well, your ideas on what I can do would be much appreciated. Best, Kjetil - -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski