could this be really CODE RED in action? the worm
scans the range of ips of an infected machine and
verifies if there are MIIS lying around to conquer. i
got a lot of those funny default.idaXXXXXXX something
on my apache logs and they are coming from a variety
of ip addresses ... of which when i try to check are
either saying "hacked by chinese" or "page under
construction".
well, just a thought
--- Pierre Fortin <[EMAIL PROTECTED]> wrote:
> Glenn Johnson wrote:
> >
> > Why would these arp requests occur as a steady
> stream, all going to
> > primarily one machine it looks like? This just
> started today. I
> > usually see an occasional flash of the activity
> light on the cable modem
> > but the activity light is almost burning steady
> now. Here is a snippet
> > of output from tcpdump.
> >
> > 23:11:45.429645 arp who-has 24.158.211.28 tell
> 24.158.208.1
> > 23:11:45.597693 arp who-has 24.158.211.128 tell
> 24.158.208.1
> > 23:11:45.603525 arp who-has 24.158.209.52 tell
> 24.158.208.1
> > 23:11:45.648017 arp who-has 24.158.213.195 tell
> 24.158.208.1
> > 23:11:45.701103 arp who-has 24.158.213.186 tell
> 24.158.208.1
> > 23:11:45.799656 arp who-has 24.158.208.6 tell
> 24.158.208.1
> > 23:11:45.803653 arp who-has 24.158.208.213 tell
> 24.158.208.1
> > 23:11:45.807188 arp who-has 24.158.213.2 tell
> 24.158.208.1
> > 23:11:45.814144 arp who-has 24.158.211.254 tell
> 24.158.208.1
> > 23:11:45.833711 arp who-has 24.158.213.253 tell
> 24.158.208.1
> > 23:11:45.856152 arp who-has 24.158.210.61 tell
> 24.158.208.1
> > 23:11:45.906593 arp who-has 24.158.210.26 tell
> 24.158.208.1
> > 23:11:45.943625 arp who-has 24.158.223.226 tell
> 24.158.223.129
> > 23:11:45.949866 arp who-has 24.158.222.24 tell
> 24.158.222.1
> > 23:11:45.966988 arp who-has 24.158.212.132 tell
> 24.158.208.1
> > 23:11:46.052650 arp who-has 24.158.212.103 tell
> 24.158.208.1
> > 23:11:46.065411 arp who-has 24.158.220.82 tell
> 24.158.220.1
> > 23:11:46.156773 arp who-has 24.158.220.139 tell
> 24.158.220.1
> > 23:11:46.164731 arp who-has 24.158.215.52 tell
> 24.158.208.1
> > 23:11:46.169593 arp who-has 24.158.209.195 tell
> 24.158.208.1
> >
> > It seems to me that there is some problem here.
> How would you suggest I
> > approach the cable company with this information?
>
> This is not TO 24.158.208.1, rather FROM... this
> indicates that there is
> traffic coming from "out there" into your segment
> looking for the IPs in the
> left column... since there are no duplicates in
> that sample, it appears someone
> is scanning the range... but scanning with only one
> packet does nothing for the
> scanning host, it just fills the router's
> (24.158.208.1) arp cache... the
> router waits for the next packet... if it comes,
> and there's a cache entry, the
> scanner's packet will reach the target host
> (you?)... if it doesn't come, the
> cache will timeout and flush the entry eventually.
> If the scan cycle is longer
> than the ARP cache timeout, it's just a waste of
> bandwidth...
>
> Unless you see the next packet from the scanner,
> only the router knows the
> scanner's IP (likely forged) for the brief time it
> converts that packet into an
> ARP if there's no arp entry for the target host. If
> there is an entry, then you
> could see the scanner's IP.
>
> If one was to write an arpresponder (had one many
> years ago to overcome a
> network topology issue), it would cause havoc on
> this type of network... unless
> you can also see the unicast ARP replies, you can't
> tell if the host really
> exists from your vantage point. If you send an ARP
> reply for the ARPed for
> host, one of two things will happen...
> 1. you respond first; no problem, since the last ARP
> reply seen is used.
> 2. you respond later; you own the IP address (unless
> someone else also steals it
> or the real target is really slow to respond...
>
> Trying to steal IPs this way is a crap shoot trying
> to get in last and before
> the first real data packet which quickly follows...
>
> HTH,
> Pierre
>
> PS: Sorry I've been quiet lately... lots of
> personal issues...
>
>
>
__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/