So... here's an update in case anyone is interested.
A wild guess found me the culprite. Well... not SO wild, it turned out to be the same guy that crashed the file/mail server by filling up the filesystem with almost 2G of MP3 files just last week! This time he was using one of those programs that pays you to surf the internet (please don't ask me, I certianly don't know how it works!) Anyway, I am told that they get paid a penny or something for each link they click on. SO... this joker set up a "BOT" on two of our corporate computers to automatically click from link to link to link... and so on... and so on... and left them running when he went home! Those two BOTS managed to put our ISDN at 100% usage about 5 min after he left and kept it there till Micro$oft boy (boss) and I figured out what was going on and shut them down!
now for the good part... here is some tips on how to figure out who's online. If anyone elce has any better tips etc, PLEASE post them, this is the second time this info would have been utterly useful!
logged in as root, do:
ipchains -M -L
this will give you a short list of whoever is using the ip masqurading at that time. The lines look something like this:
TCP 14:59.99 pc-00155..com
I don't really know what the port information means, but I suspect it is the local and destination ports that are in use. To get the IP address out of this, you take your internal ip range (for example, 192.168.1.???) and plug in the 3 numbers that are just before your domain name, (155 in the example line) to get the ip 192.168.1.155. That is the IP of the person who is using masqurading, eg. the internet. Once you have the IP addresses, figure out who is using that IP address. To do this, I used nbtstat on one of the win95 boxes:
get to the Command Prompt,
nbtstat -A
this will give you the machine name as well as some other useless info. That way, you can track down the individual people.
FINALLY, being the mean-spirited @#%#@# I am, I added a couple of ipchains rules to the masq script (and the template) that kills the internet access for these two computers! guess that's two users that will have to go to the head cheese (owner) and complain. hehehe. Here's how:
login as root (locally or using telnet if you are setup to)
cd /etc/e-smith/templates/etc/rc.d/init.d (this gets you to the proper dir)
pico masq (I use pico cause it's easy & there)
now, find the ipchains lines in the masq file, you'll see:
ipchains --flush forward
ipchains --policy forward DENY
directly after those two lines (before the "{" that is there) is where you would add rules to kill the internet access for specific IPs like this:
ipchains -A forward -j DENY -s -d 0/0
now, save the file and go to the "real" init.d directory and do the same to the masq file in there,
cd /etc/rc.d/init.d
pico masq
this time there will be a rule there instead of an "{", put the new rules between the two above and this MASQ rule. It IS very important to get the order right.
once that file is saved, do a
./masq start
to re-start masq and read the new rules.
do a:
ipchains -L
to check that your rules worked, also go to the pc and make sure it indeed doesn't have access.
BTW! I AM NOT RESPONSABLE IF THIS GETS YOU FIRED!!! This isn't something to do without understanding the concequences first!
cryblood
ps, feel free to e-mail me with any comments, but be prepaired for a flame if you send me crap about "Freedom" users do NOT have the right to crash a corporate LAN with irresponsable internetting!!!
6 Replies
922 Views