[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Large, constant incoming traffic

/ 2004-05-13 19:53:33 +0200
\ Kjetil Kjernsmo:
> On torsdag 13. mai 2004, 19:32, Robert Jakubowski wrote:
> > The best way to see what is going on is to dump the traffic to a file
> > and analyse it. Tcpdump and ethereal are great tools for that
> > purpose.
> Great! Reagan Blundell also told me about them offline. 
> > Ethereal will make the job easier and should give you a 
> > clue. If you are affraid the server has been compromised you have to
> > use another computer to get reliable information. I don't know your
> > network setup and what you have at disposal. If it is cable/DSL you
> > could connect your server through a hub, hook up the other computer
> > to the hub and do the dump (you may have to use a crossover cable
> > between the modem and the hub).
> Yup. It's in server hosting at a provider, and I don't have physical 
> access there... So, I have no option but to do it remotely (or perhaps I 
> could if eth0 was promiscuous, but it isn't?).
> Anyway, what I see in tcpdump after filtering out my own ssh traffic, 
> and some DNS traffic (which might have something to do with it, but 
> makes a lot of noise), I see (easynet.no is my provider):
> 19:41:29.459644 >  udp 376 [ttl 
> 1]
> 19:41:29.565792 arp who-has tell core-1-e2.easynet.no
> 19:41:29.675637 >  udp 376 [ttl 1]

ok, chances are that runs an unpatches MS-SQL server,
was infected, and now tries to compromise the world, and its own
subnet, where you happen to be in.

iirc there has been some worm targetting Microsoft SQL server early 2003,
maybe it is still active sometimes, maybe there is a new one.

you are "safe", but this should show in some "DROP" or "REJECT" statistics.
have a look at the output of "iptables -vnL"

you want to tell the guy responsible for, and the
hostmaster at easynet.no, that they have a compromised machine, and
should take it offline.
and that you want them to pay for the traffic they are causing you.

	Lars Ellenberg

Reply to: