Re: Large, constant incoming traffic

To: debian-security@lists.debian.org
Subject: Re: Large, constant incoming traffic
From: Lars Ellenberg <l.g.e@web.de>
Date: Thu, 13 May 2004 20:15:10 +0200
Message-id: <+vU7TZN0hnjLkKXDB3oWDHU=lge@web.de>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 200405131953.33314.kjetil@kjernsmo.net>
References: <[🔎] 200405131753.21075.kjetil@kjernsmo.net> <33125.38.148.168.28.1084469577.squirrel@webmail2.nyct.net> <[🔎] 200405131953.33314.kjetil@kjernsmo.net>

/ 2004-05-13 19:53:33 +0200
\ Kjetil Kjernsmo:
> On torsdag 13. mai 2004, 19:32, Robert Jakubowski wrote:
> > The best way to see what is going on is to dump the traffic to a file
> > and analyse it. Tcpdump and ethereal are great tools for that
> > purpose.
> 
> Great! Reagan Blundell also told me about them offline. 
> 
> > Ethereal will make the job easier and should give you a 
> > clue. If you are affraid the server has been compromised you have to
> > use another computer to get reliable information. I don't know your
> > network setup and what you have at disposal. If it is cable/DSL you
> > could connect your server through a hub, hook up the other computer
> > to the hub and do the dump (you may have to use a crossover cable
> > between the modem and the hub).
> 
> Yup. It's in server hosting at a provider, and I don't have physical 
> access there... So, I have no option but to do it remotely (or perhaps I 
> could if eth0 was promiscuous, but it isn't?).
> 
> Anyway, what I see in tcpdump after filtering out my own ssh traffic, 
> and some DNS traffic (which might have something to do with it, but 
> makes a lot of noise), I see (easynet.no is my provider):
> 
> 19:41:29.459644 217.77.34.162.2090 > 226.122.204.181.1434:  udp 376 [ttl 
> 1]
> 19:41:29.565792 arp who-has 217.77.32.171 tell core-1-e2.easynet.no
> 19:41:29.675637 217.77.34.162.2090 > 234.195.198.113.1434:  udp 376 [ttl 1]

ok, chances are that 217.77.34.162 runs an unpatches MS-SQL server,
was infected, and now tries to compromise the world, and its own
subnet, where you happen to be in.

iirc there has been some worm targetting Microsoft SQL server early 2003,
maybe it is still active sometimes, maybe there is a new one.

you are "safe", but this should show in some "DROP" or "REJECT" statistics.
have a look at the output of "iptables -vnL"

you want to tell the guy responsible for 217.77.34.162, and the
hostmaster at easynet.no, that they have a compromised machine, and
should take it offline.
and that you want them to pay for the traffic they are causing you.

	Lars Ellenberg

Reply to:

Follow-Ups:
- Re: Large, constant incoming traffic
  - From: Kjetil Kjernsmo <kjetil@kjernsmo.net>

References:
- Large, constant incoming traffic
  - From: Kjetil Kjernsmo <kjetil@kjernsmo.net>
- Re: Large, constant incoming traffic
  - From: Kjetil Kjernsmo <kjetil@kjernsmo.net>

Prev by Date: Re: Large, constant incoming traffic
Next by Date: Re: Large, constant incoming traffic
Previous by thread: Re: Large, constant incoming traffic
Next by thread: Re: Large, constant incoming traffic
Index(es):
- Date
- Thread