Looks like a trin00 server is what's going on, Thomas.
Check http://staff.washington.edu/dittrich/misc/trinoo.analysis for more
information.
Communication ports typically are:
Attacker to Master(s): 27665/tcp
Master to daemon(s): 27444/udp
Daemon to Master(s): 31335/udp
As a quick workaround, you may want to block those ports until you
investigate your machine thoroughly.
Nikki
At 03:16 PM 04/07/2000 , you wrote:
>In a nutshell... What the heck is going on here?!
>
>~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>tcdump from last night (tcdump -ippp0) - All machines on the internal net
>turned OFF:
>
>21:40:21.010000 classifieds2000.com.http > ##MY.MACHINE##.62267: R
>2140746213:2140746213(0) win 0 (DF)
>21:40:21.010000 ##MY.MACHINE##.1774 > ns2.dns.rcn.net.domain: 11760+ (42)
>21:40:21.360000 ns2.dns.rcn.net.domain > ##MY.MACHINE##.1774: 11760* 1/4/4
>(246) (DF)
>21:40:21.360000 ##MY.MACHINE##.1776 > ns2.dns.rcn.net.domain: 11761+ (42)
>21:40:21.580000 ns2.dns.rcn.net.domain > ##MY.MACHINE##.1776: 11761 1/3/3
>(221) (DF)
>
>21:48:17.940000 165.113.216.6.52501 > ##MY.MACHINE##.27444: udp 11 (DF)
>21:48:17.940000 ##MY.MACHINE##.1777 > 165.113.216.6.31335: udp 4
>21:48:17.940000 ##MY.MACHINE##.1778 > ns2.dns.rcn.net.domain: 11762+ (44)
>21:48:18.260000 ns2.dns.rcn.net.domain > ##MY.MACHINE##.1778: 11762
>NXDomain* 0/1/0 (112) (DF)
>21:51:12.230000 165.113.216.6.52502 > ##MY.MACHINE##.27444: udp 11 (DF)
>21:51:12.230000 ##MY.MACHINE##.1779 > 165.113.216.6.31335: udp 4
>
>21:51:59.340000 165.113.216.6.52504 > ##MY.MACHINE##.27444: udp 16 (DF)
>21:52:04.660000 165.113.216.6.52505 > ##MY.MACHINE##.27444: udp 25 (DF)
>
>22:11:36.720000 165.113.216.6.52507 > ##MY.MACHINE##.27444: udp 15 (DF)
>
>22:11:43.980000 165.113.216.6.52508 > ##MY.MACHINE##.27444: udp 15 (DF)
>
>22:16:51.040000 165.113.216.6.52509 > ##MY.MACHINE##.27444: udp 11 (DF)
>22:18:58.030000 165.113.216.6.52510 > ##MY.MACHINE##.27444: udp 11 (DF)
>
>22:22:46.060000 165.113.216.6.52511 > ##MY.MACHINE##.27444: udp 11 (DF)
>22:22:58.270000 165.113.216.6.52514 > ##MY.MACHINE##.27444: udp 25 (DF)
>22:26:30.900000 165.113.216.6.52515 > ##MY.MACHINE##.27444: udp 11 (DF)
>
>22:28:17.000000 ##MY.MACHINE##.1780 > 165.113.216.6.31335: udp 4
>22:28:17.000000 ##MY.MACHINE##.1781 > 165.113.216.6.31335: udp 4
>22:28:17.000000 ##MY.MACHINE##.1782 > 165.113.216.6.31335: udp 4
>
>22:31:38.000000 ##MY.MACHINE##.1783 > 165.113.216.6.31335: udp 4
>
>23:03:51.930000 165.113.216.6.52517 > ##MY.MACHINE##.27444: udp 11 (DF)
>23:03:51.930000 ##MY.MACHINE##.1784 > 165.113.216.6.31335: udp 4
>23:03:53.940000 165.113.216.6.52518 > ##MY.MACHINE##.27444: udp 11 (DF)
>23:03:57.010000 165.113.216.6.52519 > ##MY.MACHINE##.27444: udp 15 (DF)
>23:04:45.040000 165.113.216.6.52520 > ##MY.MACHINE##.27444: udp 61 (DF)
>
>23:21:04.330000 165.113.216.6.52521 > ##MY.MACHINE##.27444: udp 11 (DF)
>23:21:07.210000 165.113.216.6.52522 > ##MY.MACHINE##.27444: udp 15 (DF)
>23:21:07.870000 165.113.216.6.52523 > ##MY.MACHINE##.27444: udp 23 (DF)
>
>23:30:01.190000 165.113.216.6.52524 > ##MY.MACHINE##.27444: udp 11 (DF)
>23:30:01.190000 ##MY.MACHINE##.1785 > 165.113.216.6.31335: udp 4
>23:30:08.820000 165.113.216.6.52526 > ##MY.MACHINE##.27444: udp 15 (DF)
>
>23:45:08.290000 165.113.216.6.52530 > ##MY.MACHINE##.27444: udp 15 (DF)
>
>01:06:04.860000 165.113.216.6.52537 > ##MY.MACHINE##.27444: udp 11 (DF)
>01:06:07.430000 165.113.216.6.52538 > ##MY.MACHINE##.27444: udp 16 (DF)
>01:06:09.950000 165.113.216.6.52539 > ##MY.MACHINE##.27444: udp 26 (DF)
>
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>Related parts of my logs:
>
>Apr 6 21:52:05 tomii-gate kernel: IP fw-out deny ppp0 TCP
>193.26.175.63:34277 209.67.45.225:13009 L=40 S=0x08 I=54333 F=0x0000 T=255
>Apr 6 21:52:05 tomii-gate kernel: IP fw-out deny ppp0 TCP
>152.227.250.6:34533 209.67.45.225:50856 L=40 S=0x08 I=54589 F=0x0000 T=255
>Apr 6 21:52:05 tomii-gate kernel: IP fw-out deny ppp0 TCP
>212.138.249.60:34789 209.67.45.225:552 L=40 S=0x08 I=54845 F=0x0000 T=255
>.
>.
>.
>Apr 6 22:07:55 tomii-gate kernel: IP fw-out deny ppp0 TCP 46.7.71.7:50521
>209.67.45.225:17926 L=40 S=0x08 I=5298 F=0x0000 T=255
>Apr 6 22:07:55 tomii-gate kernel: IP fw-out deny ppp0 TCP
>72.28.202.58:50777 209.67.45.225:45 fw-out deny ppp0 TCP
>215.165.249.95:48932 209.67.45.225:52711 L=40 S=0x08 I=3709 F=0x0000 T=255
>.
>.
>.
>Apr 6 22:31:44 tomii-gate kernel: IP fw-out deny ppp0 TCP
>91.86.116.82:19139 154.11.89.164:3888 L=40 S=0x08 I=46375 F=0x0000 T=255
>Apr 6 22:31:45 tomii-gate kernel: IP fw-out deny ppp0 TCP
>230.7.181.106:19395 154.11.89.164:23482 L=40 S=0x08 I=46631 F=0x0000 T=255
>.
>.
>.
>Apr 6 23:04:45 tomii-gate kernel: IP fw-out deny ppp0 TCP
>212.218.143.80:7264 62.236.92.186:11648 L=40 S=0x08 I=40912 F=0x0000 T=255
>Apr 6 23:04:45 tomii-gate kernel: IP fw-out deny ppp0 TCP
>21.210.177.114:36222 199.174.197.117:51372 L=40 S=0x08 I=1752 F=0x0000 T=255
>.
>.
>.
>Apr 6 23:14:51 tomii-gate kernel: IP fw-out deny ppp0 TCP
>102.241.197.103:34790 129.116.18.120:17040 L=40 S=0x08 I=11762 F=0x0000
>T=255
>Apr 6 23:14:51 tomii-gate kernel: IP fw-out deny ppp0 TCP 224.155.34.51:172
>62.236.92.186:46889 L=40 S=0x08 I=5203 F=0x0000 T=255
>.
>.
>.
>Apr 6 23:28:45 tomii-gate kernel: IP fw-out deny ppp0 TCP
>150.169.177.45:19214 24.141.1.55:17985 L=40 S=0x08 I=46985 F=0x0000 T=255
>Apr 6 23:28:45 tomii-gate kernel: IP fw-out deny ppp0 TCP
>238.31.244.59:19470 24.141.1.55:7161 L=40 S=0x08 I=47241 F=0x0000 T=255
>Apr 7 01:06:10 tomii-gate kernel: IP fw-out deny ppp0 TCP
>35.128.116.121:49889 129.111.249.53:9837 L=40 S=0x08 I=12673 F=0x0000 T=255
>Apr 7 01:06:10 tomii-gate kernel: IP fw-out deny ppp0 TCP
>212.104.245.43:50145 129.111.249.53:16172 L=40 S=0x08 I=12929 F=0x0000 T=255
>Apr 7 01:06:10 tomii-gate kernel: IP fw-out deny ppp0 TCP
>195.16.60.120:50401 129.111.249.53:35045 L=40 S=0x08 I=13185 F=0x0000 T=255
>.
>.
>.
>Apr 7 01:22:57 tomii-gate kernel: IP fw-out deny ppp0 TCP
>70.41.138.30:49428 129.111.249.53:39115 L=40 S=0x08 I=12468 F=0x0000 T=255
>Apr 7 01:22:57 tomii-gate kernel: IP fw-out deny ppp0 TCP
>139.222.87.115:49684 129.111.249.53:11940 L=40 S=0x08 I=12724 F=0x0000 T=255
>
>
>
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>Traceroute output:
>
>[root@tomii-gate /root]# traceroute -ippp0 165.113.216.6
>traceroute to 165.113.216.6 (165.113.216.6), 30 hops max, 40 byte packets
> 1 as4.anp.md.rcn.net (10.65.34.14) 444.075 ms 549.621 ms 389.890 ms
> 2 fe0-0-0.core1.anp.md.rcn.net (10.65.34.1) 239.821 ms 309.810 ms
>399.957 ms
> 3 poet0-0-1.core1.col.md.rcn.net (207.172.9.197) 299.799 ms 569.799 ms
>419.907 ms
> 4 poet6-0-0.core1.blb.md.rcn.net (207.172.19.170) 629.828 ms 309.800 ms
>389.895 ms
> 5 poet1-0-0.core1.blba.md.rcn.net (207.172.9.53) 659.849 ms 569.777 ms
>379.830 ms
> 6 poet4-0-1.core1.dcb.dc.rcn.net (207.172.9.49) 269.858 ms
>poet5-1-0.core1.dcb.dc.rcn.net (207.172.19.178) 309.767 ms
>poet4-1-0.core1.dcb.dc.rcn.net (207.17
>2.19.218) 509.764 ms
> 7 pos1-1-0.border1.tcob.va.rcn.net (207.172.19.249) 519.685 ms 579.809
>ms 389.905 ms
> 8 ge3-0-0.core1.tco.va.rcn.net (207.172.19.213) 389.821 ms 680.031 ms
>669.662 ms
> 9 fe1-1-0.border1.tco.va.rcn.net (207.172.9.230) 609.829 ms 569.745 ms
>469.894 ms
>10 mae-e-1.e0.crl.com (192.41.177.104) 569.879 ms 439.767 ms 640.375 ms
>11 careerblazer.atm-e.us.crl.net (165.113.99.37) 649.369 ms 390.484 ms
>659.205 ms
>12 165.113.216.6 (165.113.216.6) 379.852 ms 649.748 ms *
>
>
>~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>My firewall script:
>
>ipfwadm -I -f
>ipfwadm -I -p deny
>ipfwadm -I -a accept -V 192.168.68.1 -S 192.168.0.0/16 -D 0.0.0.0/0
>ipfwadm -I -a deny -V ##MY.MACHINE.IP.ADDR## -S 192.168.0.0/16 -D 0.0.0.0/0
>-o
>ipfwadm -I -a accept -V ##MY.MACHINE.IP.ADDR## -S 0.0.0.0/0 -D
>##MY.MACHINE.IP.ADDR##/32
>ipfwadm -I -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0
># ??
>ipfwadm -I -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o
>
>ipfwadm -O -f
>ipfwadm -O -p deny
>ipfwadm -O -a accept -V 192.168.68.1 -S 0.0.0.0/0 -D 192.168.0.0/16
>ipfwadm -O -a deny -V ##MY.MACHINE.IP.ADDR## -S 0.0.0.0/0 -D 192.168.0.0/16
>-o
>ipfwadm -O -a deny -V ##MY.MACHINE.IP.ADDR## -S 192.168.0.0/16 -D 0.0.0.0/0
>-o
>ipfwadm -O -a deny -V ##MY.MACHINE.IP.ADDR## -S 0.0.0.0/0 -D 192.168.0.0/16
>-o
>ipfwadm -O -a accept -V ##MY.MACHINE.IP.ADDR## -S ##MY.MACHINE.IP.ADDR## -D
>0.0.0.0/0
>ipfwadm -O -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0
>ipfwadm -O -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o
>
>ipfwadm -F -f
>ipfwadm -F -p deny
>ipfwadm -F -a masquerade -W ppp0 -S 192.168.0.0/16 -D 0.0.0.0/0
>ipfwadm -F -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o
>
>#ipfwadm -F -p deny
>#ipfwadm -F -a m -S 192.168.68.0/24 -D 0.0.0.0/0
>
>
>--
>To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
>as the Subject.
>
Nikki
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
