Hello,
here's the solution.
Some peoples got it wrong. The IRC Server is not mine, it was the
destination
of the packets. The source was shown as inside IP's.
Cause I was sure, that IP Spoofing was correct configured the problem
must
reside inside my internal net. Cause the source cycles through all my
internal IP's (if a machine exists or not) I assumed that this must be
a trojan on an internal machine which manipulates the IP Data.
I snooped one of these packets and take a lokk at it.
IP Source was one of my internal IP's, IP Destination was the mentioned
IRC Server irc.arnes.si. Cause the internal IP doesn't belong to any
system, that
must be faked. Now taking a look at the Ethernet Header with the MAC
Address.
Destination was the firewall. Thats OK, cause the Ethernet Destination
should be
the next router. The Source was a sun machine from a customer which
resides in our
internal net for project reasons. Take a quick look at some other
packets.
Again and again, the ethernet source was this machine. So I got the
devil.
On the machine I found a programm called /usr/sbin/in.lpda. This program
needs a lot
of CPU power. In my opinion this is not an usual OS program and so I
killed it.
And guess what, the packet storm stopps right on the feet.
I don't know since which time yhis trojan was on the system and I even
don't
know how it was triggerd.
strings of the program results beside some crunch in:
strings in.lpda
%d.%d.%d.%d
ICMP
tc: unknown host
3.3.3.3
mservers
randomsucks
skillz
lpsched
in.telne
Maybe I will take a closer look at it in the future. If someone is
interested in
I could send the binary (it's round about 100KB).
Some guys mentioned that this is a try to slow down the IRC server
irc.arnes.si
I don't think so. The program cycles through all ports. This wouldn't
make
to much sense if you want to kill the server. I guess that he/she just
want to know
which ports are open from which machines in my internal net to the
outside.
That means that he/she have to control the irc.arnes.si to get the
information
he/she wants.
CU, Dirk.
>
> Hello,
>
> till a couple of minutes I'm under an attack. I never have seen this
> behaviour.
> I have round 'bout 50000 active connections. The Destination for all
> of these connections is irc.arnes.si (193.2.1.34). The Source is an
> internal IP. The internal IP is not one specific IP it's changing all
> over
> the whole subnet, even if no machine is assigned to this IP. But not
> even the
> IP's cycle through all values the ports do also.
>
> I'm sure that IP spoofing is correct configured. The all over system
> works
> since 2 years.
>
> Any idea how to stop, what to change ??
>
> Tia, Dirk.
>
> BTW. It's Firewall 4.0 under Solaris 2.6
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
