Are you running anything from Tivoli?
in.lpda is the Link Problem Determination Aid (LPDA). Although I'm certain
that if someone was going to drop a trojan on your system, they would try to
disguise the trojan as an actual valid process so it wouldn't be killed...
=====================================================================
Joseph Voisin, Systems Administrator, Engel Canada Inc.
www.engelmachinery.com | [EMAIL PROTECTED] | (519)836-0220 x436
PGP Fingerprint: A20B 135D 0920 074F C7FE D72D 88A7 2521 5138 DFC2
=====================================================================
> -----Original Message-----
> From: Dirk Boenning [mailto:[EMAIL PROTECTED]]
> Sent: Wednesday, August 02, 2000 8:34 AM
> To: 'Firewall-1 Mailing list'
> Subject: [FW1][SUMMARY] Urgent. I'm under attack
>
>
>
> Hello,
>
> here's the solution.
> Some peoples got it wrong. The IRC Server is not mine, it was the
> destination
> of the packets. The source was shown as inside IP's.
>
> Cause I was sure, that IP Spoofing was correct configured the problem
> must
> reside inside my internal net. Cause the source cycles through all my
> internal IP's (if a machine exists or not) I assumed that this must be
> a trojan on an internal machine which manipulates the IP Data.
> I snooped one of these packets and take a lokk at it.
> IP Source was one of my internal IP's, IP Destination was the
> mentioned
> IRC Server irc.arnes.si. Cause the internal IP doesn't belong to any
> system, that
> must be faked. Now taking a look at the Ethernet Header with the MAC
> Address.
> Destination was the firewall. Thats OK, cause the Ethernet Destination
> should be
> the next router. The Source was a sun machine from a customer which
> resides in our
> internal net for project reasons. Take a quick look at some other
> packets.
> Again and again, the ethernet source was this machine. So I got the
> devil.
> On the machine I found a programm called /usr/sbin/in.lpda.
> This program
> needs a lot
> of CPU power. In my opinion this is not an usual OS program and so I
> killed it.
> And guess what, the packet storm stopps right on the feet.
> I don't know since which time yhis trojan was on the system and I even
> don't
> know how it was triggerd.
> strings of the program results beside some crunch in:
> strings in.lpda
> %d.%d.%d.%d
> ICMP
> tc: unknown host
> 3.3.3.3
> mservers
> randomsucks
> skillz
> lpsched
> in.telne
>
> Maybe I will take a closer look at it in the future. If someone is
> interested in
> I could send the binary (it's round about 100KB).
>
>
> Some guys mentioned that this is a try to slow down the IRC server
> irc.arnes.si
> I don't think so. The program cycles through all ports. This wouldn't
> make
> to much sense if you want to kill the server. I guess that he/she just
> want to know
> which ports are open from which machines in my internal net to the
> outside.
> That means that he/she have to control the irc.arnes.si to get the
> information
> he/she wants.
>
> CU, Dirk.
>
> >
> > Hello,
> >
> > till a couple of minutes I'm under an attack. I never have seen this
> > behaviour.
> > I have round 'bout 50000 active connections. The Destination for all
> > of these connections is irc.arnes.si (193.2.1.34). The Source is an
> > internal IP. The internal IP is not one specific IP it's
> changing all
> > over
> > the whole subnet, even if no machine is assigned to this IP. But not
> > even the
> > IP's cycle through all values the ports do also.
> >
> > I'm sure that IP spoofing is correct configured. The all over system
> > works
> > since 2 years.
> >
> > Any idea how to stop, what to change ??
> >
> > Tia, Dirk.
> >
> > BTW. It's Firewall 4.0 under Solaris 2.6
>
>
> ==============================================================
> ==================
> To unsubscribe from this mailing list, please see the
> instructions at
> http://www.checkpoint.com/services/mailing.html
> ==============================================================
> ==================
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
