Re: Large, constant incoming traffic
/ 2004-05-13 19:53:33 +0200
\ Kjetil Kjernsmo:
> On torsdag 13. mai 2004, 19:32, Robert Jakubowski wrote:
> > The best way to see what is going on is to dump the traffic to a file
> > and analyse it. Tcpdump and ethereal are great tools for that
> > purpose.
> Great! Reagan Blundell also told me about them offline.
> > Ethereal will make the job easier and should give you a
> > clue. If you are affraid the server has been compromised you have to
> > use another computer to get reliable information. I don't know your
> > network setup and what you have at disposal. If it is cable/DSL you
> > could connect your server through a hub, hook up the other computer
> > to the hub and do the dump (you may have to use a crossover cable
> > between the modem and the hub).
> Yup. It's in server hosting at a provider, and I don't have physical
> access there... So, I have no option but to do it remotely (or perhaps I
> could if eth0 was promiscuous, but it isn't?).
> Anyway, what I see in tcpdump after filtering out my own ssh traffic,
> and some DNS traffic (which might have something to do with it, but
> makes a lot of noise), I see (easynet.no is my provider):
> 19:41:29.459644 220.127.116.11.2090 > 18.104.22.168.1434: udp 376 [ttl
> 19:41:29.565792 arp who-has 22.214.171.124 tell core-1-e2.easynet.no
> 19:41:29.675637 126.96.36.199.2090 > 188.8.131.52.1434: udp 376 [ttl 1]
ok, chances are that 184.108.40.206 runs an unpatches MS-SQL server,
was infected, and now tries to compromise the world, and its own
subnet, where you happen to be in.
iirc there has been some worm targetting Microsoft SQL server early 2003,
maybe it is still active sometimes, maybe there is a new one.
you are "safe", but this should show in some "DROP" or "REJECT" statistics.
have a look at the output of "iptables -vnL"
you want to tell the guy responsible for 220.127.116.11, and the
hostmaster at easynet.no, that they have a compromised machine, and
should take it offline.
and that you want them to pay for the traffic they are causing you.