Re: Large, constant incoming traffic

To: debian-security@lists.debian.org
Subject: Re: Large, constant incoming traffic
From: Kjetil Kjernsmo <kjetil@kjernsmo.net>
Date: Thu, 13 May 2004 20:45:55 +0200
Message-id: <[🔎] 200405132045.55268.kjetil@kjernsmo.net>
In-reply-to: <+vU7TZN0hnjLkKXDB3oWDHU=lge@web.de>
References: <[🔎] 200405131753.21075.kjetil@kjernsmo.net> <[🔎] 200405131953.33314.kjetil@kjernsmo.net> <+vU7TZN0hnjLkKXDB3oWDHU=lge@web.de>

On torsdag 13. mai 2004, 20:15, Lars Ellenberg wrote:

> > 19:41:29.675637 217.77.34.162.2090 > 234.195.198.113.1434:  udp 376
> > [ttl 1]
>
> ok, chances are that 217.77.34.162 runs an unpatches MS-SQL server,
> was infected, and now tries to compromise the world, and its own
> subnet, where you happen to be in.

Oh, I see. But one thing I do not understand, it doesn't seem like this 
traffic is directed at me, since it's not my address that's the 
destination...? Are they routing their traffic through me or something? 

> iirc there has been some worm targetting Microsoft SQL server early
> 2003, maybe it is still active sometimes, maybe there is a new one.

OK. I tried nmap -O 217.77.34.162 but got nothing. I have found that 
they are running IIS on their web server though. And I can't find any 
hosts in that company's netblock. 

>
> you are "safe", but this should show in some "DROP" or "REJECT"
> statistics. have a look at the output of "iptables -vnL"

OK. Very little there... It is not very detailed, since I'm using -P, is 
that a Bad Idea?
This is what it says:
Chain INPUT (policy DROP 157K packets, 10M bytes)
That's still nowhere near the total amount of data I've been getting. 

There's of course a lot more, but nothing that seems relevant. 

BTW, would I have anything to loose by going

iptables -I INPUT -i eth0 -s 217.77.34.162 -j REJECT

> you want to tell the guy responsible for 217.77.34.162, and the
> hostmaster at easynet.no, that they have a compromised machine, and
> should take it offline.

Hm, OK, but I need to feel a little more certain about what's going 
on... Given I find no signs that the machine is actually up, and that I 
still don't understand the traffic pattern, 

> and that you want them to pay for the traffic they are causing you.

Well, it is more the time I've been wasting, I spent almost two full 
days, in a very critical period... But I do not expect to be charged 
for the bandwidth, no... 

Best,

Kjetil
-- 
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
kjetil@kjernsmo.net  webmaster@skepsis.no  editor@learn-orienteering.org
Homepage: http://www.kjetil.kjernsmo.net/        OpenPGP KeyID: 6A6A0BBC

Reply to:

Follow-Ups:
- Re: Large, constant incoming traffic
  - From: Florian Weimer <fw@deneb.enyo.de>

References:
- Large, constant incoming traffic
  - From: Kjetil Kjernsmo <kjetil@kjernsmo.net>
- Re: Large, constant incoming traffic
  - From: Kjetil Kjernsmo <kjetil@kjernsmo.net>
- Re: Large, constant incoming traffic
  - From: Lars Ellenberg <l.g.e@web.de>

Prev by Date: Re: Large, constant incoming traffic
Next by Date: Re: Large, constant incoming traffic
Previous by thread: Re: Large, constant incoming traffic
Next by thread: Re: Large, constant incoming traffic
Index(es):
- Date
- Thread