Re: icmp: echo reply? Am I being attacked?
Yes, I had already noticed that when I ping a machine, the packets show
up in tcpdump as a series of echo-requests and echo-replys, but in this
case I can't find the echo-requests.
I do think that the computer adress from where the atacks are coming
from should not be correct as it changes quite frequently.
As I write this e-mail, my computer is being attacked. I logged the
output of a few seconds of "tcpdump host xenon4" to the file
http://xenon4.fe.up.pt/tcpdump_results .
I would have no problem assuming that someone would have compromised my
computer but this problem happens on all computers on the local network
that run Linux or Digital Unix. Thats why I think it could be an exploit
of some particularity specific to Unix systems.
Nuno Faria
John Vivian wrote:
>
> From the looks of things, your computer (neural1.fe.up.pt) is being
> pinged by the remote computer (bozzman.comesurfthe.net). The output
> you quoted in your e-mail is your computer's response to the ping.
>
> A 'ping' consists of two types of ICMP packets; an "echo-request",
> and an "echo-reply".
>
> Take a look at the network traffic for "echo-requests" from the
> hosts
> that your machine is sending the "echo-reply" to; you should see
> them.
>
> i may be incorrect with this next statement (corrections anyone?),
> if
> you do not see any "echo-requests" that correspond to the
> "echo-replys"
> you are seeing, then it may be possible that someone has compromised
> your machines. This is probably not the case, though i can't say
> for
> certain. The bottom line is that if you see the "echo-requests",
> then
> mystery solved. Otherwise, you may wish to post again with more
> details.
>
> Hope this helps. Can anyone else provide more info?
>
> ----------------------------------------------
> John Vivian
> Exxecom
> Network Security Analyst
> ----------------------------------------------
>
> -----Original Message-----
> From: Nuno Faria [mailto:nfaria@fe.up.pt]
> Sent: Wednesday, July 26, 2000 2:42 PM
> To: debian-security@lists.debian.org
> Subject: icmp: echo reply? Am I being attacked?
>
> Dear list members,
>
> First of all let me state where I stand.
>
> I've been using Linux (Debian) for one year now. During this year I've
> learnt quite a lot but on the issue of network and security I'm a
> complete newby.
>
> Now I think I have a security problem (although it is not exclusively
> mine). The problem is as follows:
>
> I am the administrator of three PCs in a local network. They all have
> real IP adresses.
>
> Sometimes, withou any aparent reason, some of the computers in this
> network start producing network trafic without any aparent reason. I do
> netstat and there is no indication of a network conection. I do "tcpdump
> host machinename" and I get a series of:
>
> 17:32:27.620336 neural1.fe.up.pt > bozzman.comesurfthe.net: icmp: echo
> reply
>
> not necessarily with the same machine adress (bozzman.comesurfthe.net).
> The increase in the network trafic can be as high as 50kB/s.
>
> This is not a Debian or Linux specific problem as it also hapens on
> another machin running Digital Unix, but on the other hand, if I change
> one of the PCs from Linux to Win NT4 the problem stops. It reapears when
> I change it back to Linux.
>
> Can you help me? Can you point me to some document I might read to find
> information related to this subject?
>
> Thanks in advance,
>
> Nuno Faria
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: