On torsdag 13. mai 2004, 20:15, Lars Ellenberg wrote: > > 19:41:29.675637 217.77.34.162.2090 > 234.195.198.113.1434: udp 376 > > [ttl 1] > > ok, chances are that 217.77.34.162 runs an unpatches MS-SQL server, > was infected, and now tries to compromise the world, and its own > subnet, where you happen to be in.
Oh, I see. But one thing I do not understand, it doesn't seem like this traffic is directed at me, since it's not my address that's the destination...? Are they routing their traffic through me or something? > iirc there has been some worm targetting Microsoft SQL server early > 2003, maybe it is still active sometimes, maybe there is a new one. OK. I tried nmap -O 217.77.34.162 but got nothing. I have found that they are running IIS on their web server though. And I can't find any hosts in that company's netblock. > > you are "safe", but this should show in some "DROP" or "REJECT" > statistics. have a look at the output of "iptables -vnL" OK. Very little there... It is not very detailed, since I'm using -P, is that a Bad Idea? This is what it says: Chain INPUT (policy DROP 157K packets, 10M bytes) That's still nowhere near the total amount of data I've been getting. There's of course a lot more, but nothing that seems relevant. BTW, would I have anything to loose by going iptables -I INPUT -i eth0 -s 217.77.34.162 -j REJECT > you want to tell the guy responsible for 217.77.34.162, and the > hostmaster at easynet.no, that they have a compromised machine, and > should take it offline. Hm, OK, but I need to feel a little more certain about what's going on... Given I find no signs that the machine is actually up, and that I still don't understand the traffic pattern, > and that you want them to pay for the traffic they are causing you. Well, it is more the time I've been wasting, I spent almost two full days, in a very critical period... But I do not expect to be charged for the bandwidth, no... Best, Kjetil -- Kjetil Kjernsmo Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] Homepage: http://www.kjetil.kjernsmo.net/ OpenPGP KeyID: 6A6A0BBC