Looks like someone is using you to attack those sites webservers.. they probably dropped some little scriptie in your /tmp thats doing this. look in your process tree and look in /tmp and see if you can find anything.
Jason On Sun, Jan 21, 2007 at 08:15:20PM -0500, MG wrote: > [EMAIL PROTECTED] wrote: > > >we need more details. are you by any chance using your schools DNS server > >for DNS? > > > > > Just checked back again - sorry about the delay. Not that I know of - > the router address is specified in the DNS tab in the network settings > utility, so I think it's using RoadRunner supplied DNSs. > > >SYN from from where? to where? what port(s)? > > > > > > > This is the event log: > > > Description Count Last Occurence > Target Source > IP Fragmented Packet 4 FRI JAN 19 14:23:49 2007 > me.athome.on.XP:26219 my.schools.name.server.Ithink:20375 LAN-side SYN > Flood 1 FRI JAN 19 15:26:29 2007 some.atl.addr.31:80 > me.athome.on.XP:1667 > SYN Flood 1 FRI JAN 19 15:26:29 2007 > me.athome.on.XP:1666 some.atl.addr.31:80 > LAN-side SYN Flood 1 FRI JAN 19 17:13:27 2007 > different.schools.server.addr:80 me.athome.on.Debian:3744 > SYN Flood 1 FRI JAN 19 17:13:27 2007 > me.athome.on.Debian:3745 different.schools.server.addr:80 > LAN-side SYN Flood 6 FRI JAN 19 17:13:42 2007 > different.schools.server.addr:80 me.athome.on.Debian:3753 > > >etc. > > > >Jason > > > > > > > > > I had the XP and Debian boxes up originally, then when I noticed this > going on, took the XP off the network and it jumped to the Debian box. > > > Today, its just 124 IP Fragmented Packets from my school's server to my > XP box. > > > Thanks - > > > MG > > > >On Fri, Jan 19, 2007 at 11:01:57PM -0500, MG wrote: > > > >>Hello, all, > >> > >>I'm new here <waves> and just came across something fairly scary. My > >>home router shows something called an IP Fragmented Packet *from my > >>school's DNS server*, then there's a series of LAN-side SYN Flood, then > >>just plain SYN Flood, events to and from my [innocent, I swear!] > >>router's IP to some address in Atlanta, back from Atlanta, then to a > >>rival school's IP address here. > >> > >>My systems are XP and Debian 2.6 - when I shut down the XP, it jumped to > >>the Debian. Can anyone clue me into wth's going on? > >> > >>Many thanks - > >> > >>MG > >>-- > >>TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > >>TriLUG Organizational FAQ : http://trilug.org/faq/ > >>TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ > >> > > > > > -- > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > TriLUG Organizational FAQ : http://trilug.org/faq/ > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ -- ================================================ | Jason Welsh [EMAIL PROTECTED] | | http://monsterjam.org DSS PGP: 0x5E30CC98 | | gpg key: http://monsterjam.org/gpg/ | ================================================ -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
