well, according to what you said.. Source Dest my.schools.name.server.Ithink:20375 me.athome.on.XP:26219 me.athome.on.XP:1667 some.atl.addr.31:80 some.atl.addr.31:80 me.athome.on.XP:1666 me.athome.on.Debian:3744 schools.server.addr:80 different.schools.server.addr:80 me.athome.on.Debian:3745
that that looks like normal traffic. you (high port) -> server (tcp port 80) request for some webpage server (tcp port 80) -> you (some high port) the servers response you need to find out whats doing it.. do a top and see whats eating the most cpu.. probably some little shell script or c program thats just attacking. if its still happening. regards, jason On Tue, Jan 23, 2007 at 06:23:49PM -0500, MG wrote: > I had a look, but don't know what to look for. Looks like a lot of > heavy googling ahead. > > MG > > [EMAIL PROTECTED] wrote: > >Looks like someone is using you to attack those sites webservers.. > >they probably dropped some little scriptie in your /tmp thats doing this. > >look in your process tree and look in /tmp and see if you can find > >anything. > > > >Jason > > > >On Sun, Jan 21, 2007 at 08:15:20PM -0500, MG > >wrote: > > > >>[EMAIL PROTECTED] wrote: > >> > >> > >>>we need more details. are you by any chance using your schools DNS > >>>server for DNS? > >>> > >>> > >>Just checked back again - sorry about the delay. Not that I know of - > >>the router address is specified in the DNS tab in the network settings > >>utility, so I think it's using RoadRunner supplied DNSs. > >> > >> > >>>SYN from from where? to where? what port(s)? > >>> > >>> > >>> > >>This is the event log: > >> > >> > >>Description Count Last Occurence > >> Target Source > >>IP Fragmented Packet 4 FRI JAN 19 14:23:49 2007 > >>me.athome.on.XP:26219 my.schools.name.server.Ithink:20375 LAN-side SYN > >>Flood 1 FRI JAN 19 15:26:29 2007 some.atl.addr.31:80 > >> me.athome.on.XP:1667 > >>SYN Flood 1 FRI JAN 19 15:26:29 2007 > >>me.athome.on.XP:1666 some.atl.addr.31:80 > >>LAN-side SYN Flood 1 FRI JAN 19 17:13:27 2007 > >>different.schools.server.addr:80 me.athome.on.Debian:3744 > >>SYN Flood 1 FRI JAN 19 17:13:27 2007 > >>me.athome.on.Debian:3745 different.schools.server.addr:80 > >>LAN-side SYN Flood 6 FRI JAN 19 17:13:42 2007 > >>different.schools.server.addr:80 me.athome.on.Debian:3753 > >> > >> > >>>etc. > >>> > >>>Jason > >>> > >>> > >>> > >>> > >>I had the XP and Debian boxes up originally, then when I noticed this > >>going on, took the XP off the network and it jumped to the Debian box. > >> > >> > >>Today, its just 124 IP Fragmented Packets from my school's server to my > >>XP box. > >> > >> > >>Thanks - > >> > >> > >>MG > >> > >> > >> > >>>On Fri, Jan 19, 2007 at 11:01:57PM -0500, MG wrote: > >>> > >>> > >>>>Hello, all, > >>>> > >>>>I'm new here <waves> and just came across something fairly scary. My > >>>>home router shows something called an IP Fragmented Packet *from my > >>>>school's DNS server*, then there's a series of LAN-side SYN Flood, then > >>>>just plain SYN Flood, events to and from my [innocent, I swear!] > >>>>router's IP to some address in Atlanta, back from Atlanta, then to a > >>>>rival school's IP address here. > >>>> > >>>>My systems are XP and Debian 2.6 - when I shut down the XP, it jumped > >>>>to the Debian. Can anyone clue me into wth's going on? > >>>> > >>>>Many thanks - > >>>> > >>>>MG > >>>>-- > >>>>TriLUG mailing list : > >>>>http://www.trilug.org/mailman/listinfo/trilug > >>>>TriLUG Organizational FAQ : http://trilug.org/faq/ > >>>>TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ > >>>> > >>>> > >>> > >>> > >>-- > >>TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > >>TriLUG Organizational FAQ : http://trilug.org/faq/ > >>TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ > >> > > > > > -- > TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug > TriLUG Organizational FAQ : http://trilug.org/faq/ > TriLUG Member Services FAQ : http://members.trilug.org/services_faq/ -- ================================================ | Jason Welsh [EMAIL PROTECTED] | | http://monsterjam.org DSS PGP: 0x5E30CC98 | | gpg key: http://monsterjam.org/gpg/ | ================================================ -- TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
