Koozali.org: home of the SME Server
Legacy Forums => General Discussion (Legacy) => Topic started by: David on January 03, 2002, 02:27:45 AM
-
For the past 25hrs something VERY VERY fishy has been going on. Checking my log files(/var/log/messages) I find the following.
By allmeans I'm not expert in Linux, but I sure as heck know this is not normal.
I'm running Portsentry. Of course this is just a little section of the log, but this 24.112.20.14 address has just been pounding my system.
As you will also notice that there are several different IPs as well.
I need some help here. This guy is NOT stoping. And I have created a rule to atleast try and stop him. But doesn't seem to be helping. Can ANY help me out here????
Jan 2 13:23:18 e-smith kernel: Packet log: input DENY eth1 PROTO=17 24.112.20.14:6112 24.102.229.222:6112 L=45 S=0x00 I=46859 F=0x0000 T=128 (#12)
Jan 2 13:23:19 e-smith kernel: Packet log: input DENY eth1 PROTO=17 24.112.20.14:6112 198.79.47.109:20181 L=45 S=0x00 I=47115 F=0x0000 T=128 (#12)
Jan 2 13:23:20 e-smith kernel: Packet log: input DENY eth1 PROTO=17 24.112.20.14:6112 12.248.16.43:6112 L=45 S=0x00 I=47371 F=0x0000 T=128 (#12)
Jan 2 13:23:20 e-smith kernel: Packet log: input DENY eth1 PROTO=17 24.112.20.14:6112 66.156.208.63:6112 L=45 S=0x00 I=47627 F=0x0000 T=128 (#12)
Jan 2 13:23:21 e-smith kernel: Packet log: input DENY eth1 PROTO=17 24.112.20.14:6112 216.175.25.66:1025 L=45 S=0x00 I=47883 F=0x0000 T=128 (#12)
Jan 2 13:23:21 e-smith kernel: Packet log: input DENY eth1 PROTO=17 24.112.20.14:6112 65.80.94.4:6112 L=44 S=0x00 I=48139 F=0x0000 T=128 (#12)
Jan 2 13:23:22 e-smith kernel: Packet log: input DENY eth1 PROTO=17 24.112.20.14:6112 24.102.229.222:6112 L=44 S=0x00 I=48395 F=0x0000 T=128 (#12)
Jan 2 13:23:22 e-smith kernel: Packet log: input DENY eth1 PROTO=17 24.112.20.14:6112 24.102.229.222:6112 L=44 S=0x00 I=48651 F=0x0000 T=128 (#12)
Jan 2 13:23:22 e-smith kernel: Packet log: input DENY eth1 PROTO=17 24.112.20.14:6112 12.248.16.43:6112 L=44 S=0x00 I=48907 F=0x0000 T=128 (#12)
Jan 2 13:23:23 e-smith kernel: Packet log: input DENY eth1 PROTO=17 24.112.20.14:6112 65.80.94.4:6112 L=44 S=0x00 I=49163 F=0x0000 T=128 (#12)
-
btw: I'm running 4.1.2
-
Here is a dump of my PS -ef
I've removed some of the dups.
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 Jan01 ? 00:00:06 init [7]
root 2 1 0 Jan01 ? 00:00:01 [kflushd]
root 3 1 0 Jan01 ? 00:00:03 [kupdate]
root 4 1 0 Jan01 ? 00:00:00 [kpiod]
root 5 1 0 Jan01 ? 00:00:13 [kswapd]
root 6 1 0 Jan01 ? 00:00:00 [mdrecoveryd]
root 252 1 2 Jan01 ? 00:30:27 syslogd -m 0 -a /home/dns/dev/lo
root 262 1 0 Jan01 ? 00:01:24 klogd -c 1
root 595 1 0 Jan01 ? 00:00:00 [dhcpcd]
root 715 1 0 Jan01 ? 00:00:04 crond
root 873 1 0 Jan01 ? 00:00:01 xinetd -reuse -pidfile /var/run/
lp 1024 1 0 Jan01 ? 00:00:00 [lpd]
root 1049 1 0 Jan01 ? 00:00:00 /usr/sbin/dhcpd eth0
root 1106 1 0 Jan01 ? 00:00:00 [supervise]
qmaill 1107 1 0 Jan01 ? 00:00:01 cyclog -s 3500000 /var/log/qmail
qmails 1108 1106 0 Jan01 ? 00:00:07 qmail-send
qmaill 1115 1108 0 Jan01 ? 00:00:00 accustamp qmail
root 1116 1108 0 Jan01 ? 00:00:01 qmail-lspawn ./Maildir/
qmailr 1117 1108 0 Jan01 ? 00:00:00 qmail-rspawn
qmailq 1118 1108 0 Jan01 ? 00:00:00 qmail-clean
mail 1163 1 0 Jan01 ? 00:00:00 smtpfwdd -d /var/spool/smtpd/spo
root 1203 1 0 Jan01 ? 00:00:05 httpd
root 1268 1 0 Jan01 ? 00:00:10 [sshd]
www 1284 1203 0 Jan01 ? 00:00:07 [httpd]
root 1433 1 0 Jan01 ? 00:00:01 /usr/sbin/httpd-admin -f /etc/ht
admin 1449 1433 0 Jan01 ? 00:00:00 /usr/sbin/httpd-admin -f /etc/ht
root 1475 1 0 Jan01 ? 00:00:00 [safe_mysqld]
mysql 1515 1475 0 Jan01 ? 00:00:00 [mysqld]
mysql 1525 1515 0 Jan01 ? 00:00:00 [mysqld]
mysql 1526 1525 0 Jan01 ? 00:00:00 [mysqld]
root 1545 1268 0 Jan01 ? 00:00:04 [sshd]
root 1548 1 0 Jan01 ? 00:00:00 [smbd]
root 1558 1 0 Jan01 ? 00:00:01 nmbd -D
root 1561 1558 0 Jan01 ? 00:00:00 [nmbd]
root 1571 1545 0 Jan01 pts/0 00:00:01 [bash]
root 1599 1 0 Jan01 tty1 00:00:09 [console]
root 1600 1 0 Jan01 tty2 00:00:00 [login]
root 1601 1 0 Jan01 tty3 00:00:00 [login]
dns 1602 1 0 Jan01 ? 00:00:13 /usr/sbin/named -f -u dns -g dns
root 1620 1599 0 Jan01 ? 00:00:00 [rpmq ]
root 1621 1599 0 Jan01 tty1 00:00:00 [logger]
root 1622 1599 0 Jan01 tty1 00:00:00 [whiptail]
root 1658 1 0 Jan01 pts/0 00:00:18 /bin/sh /david/fixnc
root 1665 1268 0 Jan01 ? 00:00:08 /usr/sbin/sshd
root 1666 1665 0 Jan01 pts/1 00:00:01 [bash]
root 1756 1600 0 Jan01 tty2 00:00:00 [bash]
root 1872 1601 0 Jan01 tty3 00:00:00 [bash]
root 2113 1 0 Jan01 ? 00:00:11 /usr/sbin/portsentry -atcp
root 2115 1 0 Jan01 ? 00:00:08 /usr/sbin/portsentry -audp
root 2117 1 0 Jan01 ? 00:00:01 /usr/sbin/portsentry -stcp
root 2119 1 0 Jan01 ? 00:00:00 /usr/sbin/portsentry -sudp
www 2548 1203 0 Jan01 ? 00:00:07 [httpd]
www 2845 1203 0 Jan01 ? 00:00:09 [httpd]
root 5681 1268 0 Jan01 ? 00:00:04 /usr/sbin/sshd
root 5682 5681 0 Jan01 pts/2 00:00:01 -bash
root 5802 1571 1 Jan01 pts/0 00:13:15 snort -i eth1 -A full -c snort.c
mysql 3178 1525 0 09:09 ? 00:00:00 [mysqld]
mysql 3265 1525 0 09:10 ? 00:00:00 [mysqld]
mysql 3438 1525 0 09:14 ? 00:00:00 [mysqld]
admin 13279 1433 0 13:17 ? 00:00:00 /usr/sbin/httpd-admin -f /etc/ht
admin 13286 1433 0 13:17 ? 00:00:00 /usr/sbin/httpd-admin -f /etc/ht
admin 13290 1433 0 13:17 ? 00:00:00 /usr/sbin/httpd-admin -f /etc/ht
admin 13291 1433 0 13:17 ? 00:00:00 /usr/sbin/httpd-admin -f /etc/ht
root 13683 1666 7 13:25 pts/1 00:00:48 top
root 14096 1658 0 13:35 pts/0 00:00:00 sleep 20
root 14097 5682 0 13:35 pts/2 00:00:00 ps -ef
root 14098 5682 0 13:35 pts/2 00:00:00 mail david@toste.ca
-
Look in your acces_log. It is in /var/log/httdp
I think you will see a lot of cmd.exe and root.exe
A lot of people are still infected by the nimda virus, wich can be distributed trough a web server... don't worry linux is immune for it, but it will give you a lot of overhead on the bandwidth... it could even crash your apache services.
-
Thats not a problem, I've been morning that for alittle while now. It sure wasn't attempts to gain access to the web part.
-
Perhaps I'm not understanding what you believe you see there,
but one side of those log entries is the remote host, and
the other side is the local host. Are you sure
that 24.112.20.14 isn't your own address? UDP (protocol 17) port
6112 is used by Battle Net clients. Any gamers on your local
network?
In any case, according to the log, the connections are being
denied, which is what's supposed to happen -- that's evidence
from your kernel packet filters that the connections weren't
allowed.
Hope this helps,
-Rich
-
Yes I'm sure 101% that 24.112.20.14 isn't my IP.
As for the gaming, again I'm sure 100% that there are no games going on, since
the network is at home and it's just me and the wife.
The reason the connections are being denied, is because I created the rule
to deny this guy. At times the packets are just flying in, my connection is degraded big time, in away it's amost like a DoS.
The port that was reported in the email I sent out is NOT the only one. I have 17meg log file, I would say EASY 60% is from this ip alone.
Yes I could stop ipchains from logging, but I like to keep track as to whats going on.
I also run IPTRAF, and I was monitoring this IP connected to NNTP server on the @home system. Why I was able to see his traffic on my system, is the reason I think something funny is going on, traffic going from hhim to NNTP connection was incoming and outgoing on my server. It was as if, he was behind the firewall and getting messages to the newsgroups. I have squid turned off, so it couldn't be a proxy hijack.
If you want I can supply more log info.
-
It's not TCP at all. There's no connection, no hijacking, just
some stateless packets arriving at your doorstep. But it sounds
as though you've diagnosed the problem yourself to be some
problem involving @Home; perhaps it would be worthwhile to
ask them what is going on.
One possibility is that you were assigned an address that was formerly being used as a battlenet server. I vaguely recall
this once being a problem with Quake network games.
-Rich