This is problem with v5.6 running a small family network on a cable modem connection.
In the process of troubleshooting a problem with dansguardian, I looked at my squid logs and found some really odd entries -- and it looks to me like someone is using my network to surf (and probably do other stuff as well). Here's an example:
2003.9.14 1:54:10 67.17.16.10 -
http://www.google.com/search?as_q=course+golf+milpitas&num=100&hl=en&ie=UTF-8&oe=UTF-8&btnG=Google+Search&as_epq=&as_oq=&as_eq=&lr=&as_ft=i&as_filetype=&as_qdr=all&as_occt=any&as_dt=i&as_sitesearch=&safe=images GET 92935
The IP 67.17.16.10 is not in the range of internal ips (192.168.235.x) on my LAN, so I decided that SOMETHING STRANGE was going on.
There are several entries with this IP, some a LOT more nasty than golf courses. I have added the two IPs to the blocked IP list on dansguardian, so they are getting blocked. But obviously there's a vulnerability that is getting exploited that I need to close.
I have a fairly standard v5.6 with several of the typical addons: update panel, user panels, antivirus (clamav & amavis-ng), spamassassin, dansguardian, port opening, portforwarding, portscan, pop-email, bandwidth limiting, SARG, printerqueue...
I am also suspicious that one of my kids downloaded some kind of trojan that is using his/her computer for this attack -- my daughter recently downloaded "incredimail" which has some security issues, for example. I have disconnected my son's PC from the network (he has it so screwed up I'm going to have to reinitialize the hard drive. The "attacks" have persisted, so I may disconnect dau's computer as well. (Of course it COULDN'T be my iMac OS X....)
I checked the "last" command and I am the only user to access the ssh connection. So I'm a bit confused....
Rgds
Ed
1 Replies
534 Views