I had a look, but don't know what to look for. Looks like a lot of
heavy googling ahead.
MG
[EMAIL PROTECTED] wrote:
Looks like someone is using you to attack those sites webservers..
they probably dropped some little scriptie in your /tmp thats doing this.
look in your process tree and look in /tmp and see if you can find anything.
Jason
On Sun, Jan 21, 2007 at 08:15:20PM -0500, MG
wrote:
[EMAIL PROTECTED] wrote:
we need more details. are you by any chance using your schools DNS server
for DNS?
Just checked back again - sorry about the delay. Not that I know of -
the router address is specified in the DNS tab in the network settings
utility, so I think it's using RoadRunner supplied DNSs.
SYN from from where? to where? what port(s)?
This is the event log:
Description Count Last Occurence
Target Source
IP Fragmented Packet 4 FRI JAN 19 14:23:49 2007
me.athome.on.XP:26219 my.schools.name.server.Ithink:20375 LAN-side SYN
Flood 1 FRI JAN 19 15:26:29 2007 some.atl.addr.31:80
me.athome.on.XP:1667
SYN Flood 1 FRI JAN 19 15:26:29 2007
me.athome.on.XP:1666 some.atl.addr.31:80
LAN-side SYN Flood 1 FRI JAN 19 17:13:27 2007
different.schools.server.addr:80 me.athome.on.Debian:3744
SYN Flood 1 FRI JAN 19 17:13:27 2007
me.athome.on.Debian:3745 different.schools.server.addr:80
LAN-side SYN Flood 6 FRI JAN 19 17:13:42 2007
different.schools.server.addr:80 me.athome.on.Debian:3753
etc.
Jason
I had the XP and Debian boxes up originally, then when I noticed this
going on, took the XP off the network and it jumped to the Debian box.
Today, its just 124 IP Fragmented Packets from my school's server to my
XP box.
Thanks -
MG
On Fri, Jan 19, 2007 at 11:01:57PM -0500, MG wrote:
Hello, all,
I'm new here <waves> and just came across something fairly scary. My
home router shows something called an IP Fragmented Packet *from my
school's DNS server*, then there's a series of LAN-side SYN Flood, then
just plain SYN Flood, events to and from my [innocent, I swear!]
router's IP to some address in Atlanta, back from Atlanta, then to a
rival school's IP address here.
My systems are XP and Debian 2.6 - when I shut down the XP, it jumped to
the Debian. Can anyone clue me into wth's going on?
Many thanks -
MG
--
TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
--
TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
--
TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
TriLUG Organizational FAQ : http://trilug.org/faq/
TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
