Rogue ICMP Attempts??

James Pifer Wed, 24 Sep 2003 07:35:32 -0700

Hi. I have a strange problem. I have an RH9 machine that I've been using
to test OpenNMS. I believe my problem is related to OpenNMS but I can't
get an asnwer on their list. Hoping someone here might have some ideas.


The following services are NOT started up on boot:
Tomcat4
Postgresql
OpenNMS

If I run Ethereal I see a whole bunch of ICMP attempts. What's weird,
and I guess good, is that all say destination unreachable, even though
they should be reachable. I can't figure out what process is doing all
these ICMP requests. 

It's doubtful that this machine is compromised being on an internal
private net, but anything is possible.  I ran a chkrootkit and
everything looks ok from there. 

I first noticed this problem when restarting OpenNMS. When it is
initially running I don't seem to have the problem, but if I stop it, or
even just restart it, the problem starts again. 

My current running processes are listed below. I haven't noticed anything 
out of the ordinary in the logs. Any suggestions? 

Thanks,
James

[EMAIL PROTECTED] chkrootkit-0.42b]# ps -ef
UID        PID  PPID  C STIME TTY          TIME CMD
root         1     0  0 08:26 ?        00:00:04 init
root         2     1  0 08:26 ?        00:00:00 [keventd]
root         3     1  0 08:26 ?        00:00:00 [kapmd]
root         4     1  0 08:26 ?        00:00:00 [ksoftirqd_CPU0]
root         9     1  0 08:26 ?        00:00:00 [bdflush]
root         5     1  0 08:26 ?        00:00:00 [kswapd]
root         6     1  0 08:26 ?        00:00:00 [kscand/DMA]
root         7     1  0 08:26 ?        00:00:00 [kscand/Normal]
root         8     1  0 08:26 ?        00:00:02 [kscand/HighMem]
root        10     1  0 08:26 ?        00:00:00 [kupdated]
root        11     1  0 08:26 ?        00:00:00 [mdrecoveryd]
root        15     1  0 08:26 ?        00:00:00 [kjournald]
root        73     1  0 08:26 ?        00:00:00 [khubd]
root      2796     1  0 08:26 ?        00:00:00 [kjournald]
root      3092     1  0 08:27 ?        00:00:00 syslogd -m 0
root      3096     1  0 08:27 ?        00:00:00 klogd -x
rpc       3114     1  0 08:27 ?        00:00:00 [portmap]
root      3202     1  0 08:27 ?        00:00:00 /usr/sbin/sshd
root      3217     1  0 08:27 ?        00:00:00 xinetd -stayalive
-pidfile /var/run/xinetd.pid
ntp       3234     1  0 08:27 ?        00:00:00 [ntpd]
root      3243     1  0 08:27 ?        00:00:00 gpm -t ps/2 -m
/dev/mouse
root      3252     1  0 08:27 ?        00:00:00 crond
xfs       3323     1  0 08:27 ?        00:00:00 [xfs]
daemon    3341     1  0 08:27 ?        00:00:00 [atd]
root      3353     1  0 08:27 ?        00:00:00 smbd -D
root      3357     1  0 08:27 ?        00:00:00 nmbd -D
root      3364     1  0 08:27 ?        00:00:00 /usr/bin/perl
/usr/libexec/webmin/miniserv.pl /etc/webmin/miniserv.conf
root      3367     1  0 08:27 tty1     00:00:00 /sbin/mingetty tty1
root      3368     1  0 08:27 tty2     00:00:00 /sbin/mingetty tty2
root      3369     1  0 08:27 tty3     00:00:00 /sbin/mingetty tty3
root      3370     1  0 08:27 tty4     00:00:00 /sbin/mingetty tty4
root      3371     1  0 08:27 tty5     00:00:00 /sbin/mingetty tty5
root      3372     1  0 08:27 tty6     00:00:00 /sbin/mingetty tty6
root      3373     1  0 08:27 ?        00:00:00 [gdm-binary]
root      3418  3373  0 08:27 ?        00:00:00 [gdm-binary]
root      3419  3418  0 08:27 ?        00:00:21 /usr/X11R6/bin/X :0
-auth /var/gdm/:0.Xauth vt7
root      3428  3418  0 08:33 ?        00:00:00 /usr/bin/gnome-session
root      3488  3428  0 08:33 ?        00:00:00 /usr/bin/ssh-agent
/etc/X11/xinit/Xclients
root      3499     1  0 08:33 ?        00:00:01 /usr/libexec/gconfd-2 11
root      3501     1  0 08:33 ?        00:00:00
/usr/libexec/bonobo-activation-server --ac-activate --ior-output-fd=16
root      3505     1  0 08:33 ?        00:00:00 gnome-settings-daemon
--oaf-activate-iid=OAFIID:GNOME_SettingsDaemon --o
root      3512  3217  0 08:33 ?        00:00:00 [fam]
root      3519     1  0 08:33 ?        00:00:03 gnome-panel
--sm-client-id default2
root      3521     1  0 08:33 ?        00:00:02 nautilus
--no-default-window --sm-client-id default3
root      3523     1  0 08:33 ?        00:00:00 magicdev --sm-client-id
default4
root      3526     1  0 08:33 ?        00:00:00 eggcups --sm-client-id
default6
root      3528     1  0 08:33 ?        00:00:00 pam-panel-icon
--sm-client-id default0
root      3531  3528  0 08:33 ?        00:00:00
/sbin/pam_timestamp_check -d root
root      3537     1  0 08:33 ?        00:00:00
/usr/libexec/notification-area-applet --oaf-activate-iid=OAFIID:GNOME_No
root      3539     1  0 08:33 ?        00:00:01 /usr/bin/gnome-terminal
root      3540  3539  0 08:33 ?        00:00:00 [gnome-pty-helpe]
root      3541  3539  0 08:33 pts/0    00:00:00 bash
root      3569  3541  0 08:34 pts/0    00:00:05 ethereal
root      3585  3353  0 08:36 ?        00:00:00 [smbd]
root      3605     1  0 08:38 ?        00:00:01 metacity --sm-save-file
1064406831-3503-1055393448.ms
root      3618  3569  0 08:38 pts/0    00:00:06 ethereal-capture -i eth0
-w /tmp/etherXXXXrZcm4J -W 6 -m -*-fixed-medium
root      3739  3202  0 09:08 ?        00:00:00 /usr/sbin/sshd
root      3742  3739  0 09:08 pts/1    00:00:00 -bash
root      4751  3742  0 10:09 pts/1    00:00:00 ps -ef


-- 
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]
https://www.redhat.com/mailman/listinfo/redhat-list

Rogue ICMP Attempts??

Reply via email to