-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 dfox wrote: | Gretts * | | I came home today to my box noticing that a large number of httpd | processes being spawned (this isn't a server, at least not really), | and for the last hours or so my box is real slow when it comes to | using the net. | | I'm on a DSL line and am getting some errors connecting to sites | and such. I installed tcpdump and am getting lines like: | | 17:57:50.710986 210.95.36.130.4156 > m206-157.dsl.tsoft.com.4156: udp 41 (DF) | 17:57:50.711030 m206-157.dsl.tsoft.com > 210.95.36.130: icmp: m206-157.dsl.tsoft.com udp port 4156 unreachable [tos 0xc0] | 17:57:50.737316 158.182.6.120.4156 > m206-157.dsl.tsoft.com.4156: udp 41 (DF) | 17:57:50.737361 m206-157.dsl.tsoft.com > 158.182.6.120: icmp: m206-157.dsl.tsoft.com udp port 4156 unreachable [tos 0xc0] | 17:57:50.742490 | | How can I fix this? If it's a "ping storm" how do I stop it? I figure | it has something to do with iptables but I'm a real newbie where this | type of thing is concerned. After looking at tcpdump for a few minutes | it is not apparent that a single site is trying to connect, but | a large number of different sites. They all have one thing in common, | though, this port 4156. | | I also noticed when looking in /var/log a couple of lines that look | specifically like breakin attempts within the last week... | | Sep 16 19:17:04 m206-157 rpc.statd[1008]: gethostbyname error for ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ | ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n | \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 | etc... that is very suspicious - that looks like an exploit. | | Between 9/16 and today nothing suspicious; there is always the lone | ftp or nntp attempt but they fail and it doesn't impact performance. | But today, it's like someone is flood pinging my device - the net | lights are constantly on. | | I also saw this today: | | Sep 21 10:03:59 m206-157 kernel: Neighbour table overflow. | Sep 21 10:03:59 m206-157 last message repeated 9 times | Sep 21 10:04:04 m206-157 kernel: NET: 3050 messages suppressed. | Sep 21 10:04:04 m206-157 kernel: Neighbour table overflow. | Sep 21 10:04:09 m206-157 kernel: NET: 8192 messages suppressed. | Sep 21 10:04:09 m206-157 kernel: Neighbour table overflow. | Sep 21 10:04:14 m206-157 kernel: NET: 7009 messages suppressed. | Sep 21 10:04:14 m206-157 kernel: Neighbour table overflow. | | | | ------------------------------------------------------------------------ | | Want to buy your Pack or Services from MandrakeSoft? | Go to http://www.mandrakestore.com
If your machine is reasonably current (300Mhz or faster, 128MB+ RAM), then I would have to suspect a distributed attack via a virus or worm. Due to the volume, I'd bet windows. I suggest you look up a subset of that string with someone like Mcafee. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9jT1lUMkt1ZRwL1MRAh5DAJ0Q+jmZmUcsold6MYZIiOb1jDykkACZAUMh dNFMCNDhYCw3gu7lc0O5FoQ= =QpUD -----END PGP SIGNATURE-----
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com