OK, here's the deal...
Big, and in sections (separated by tildes (~))... As an aside, I have just
added 165.113.216.6 to my hosts.deny file...
Sections include tcpdump, log files, and a traceroute... I cannot nslookup
what appears to be
the offending host (165.113.216.6) (Nor can a whois him)... I can, however
ping, telnet, ftp to
this box (although I don't know the passwords)... It doesn't seem to have a
name (interesting)...
So, this said, it would appear to me that this box is attached to a network
where the admin doesn't
know it exists.
What I appear to be seeing is a series of messages of some sort from this
machine to mine (on different, successive ports)... My machine seems to
talk back to this machine as well (on different, successive ports). Shortly
after the talking occurs, my machine starts trying to blast a gazillion
packets out to different machines - it looks as if I am being used as part
of a DOS attack of some sort. Fortunately, my firewall seems to be blocking
me from sending this crap out to the world.
There seems to be some correlation between some of the talking between mine
& the mystery machine to what the firewall is blocking, but I can't tell
exactly what. It seems almost as if there is a daemon running on my machine
for this, but I can find no evidence of it... I have looked through my rc.d
directories, and none of them seem to be modified...
I have gone through my box, and I see no evidence of a successful break-in,
except for the fact that my machine is talking to some other machine. So,
here are the questions:
1) Have I been broken into, and how.
2) If I have been compromised, how can I find the daemons that may be
running to do this talking?
3) What can I do to keep this from happening again?
In a nutshell... What the heck is going on here?!
~~~~~~~~~~~~~~~~~~~~~~~~~~~
tcdump from last night (tcdump -ippp0) - All machines on the internal net
turned OFF:
21:40:21.010000 classifieds2000.com.http > ##MY.MACHINE##.62267: R
2140746213:2140746213(0) win 0 (DF)
21:40:21.010000 ##MY.MACHINE##.1774 > ns2.dns.rcn.net.domain: 11760+ (42)
21:40:21.360000 ns2.dns.rcn.net.domain > ##MY.MACHINE##.1774: 11760* 1/4/4
(246) (DF)
21:40:21.360000 ##MY.MACHINE##.1776 > ns2.dns.rcn.net.domain: 11761+ (42)
21:40:21.580000 ns2.dns.rcn.net.domain > ##MY.MACHINE##.1776: 11761 1/3/3
(221) (DF)
21:48:17.940000 165.113.216.6.52501 > ##MY.MACHINE##.27444: udp 11 (DF)
21:48:17.940000 ##MY.MACHINE##.1777 > 165.113.216.6.31335: udp 4
21:48:17.940000 ##MY.MACHINE##.1778 > ns2.dns.rcn.net.domain: 11762+ (44)
21:48:18.260000 ns2.dns.rcn.net.domain > ##MY.MACHINE##.1778: 11762
NXDomain* 0/1/0 (112) (DF)
21:51:12.230000 165.113.216.6.52502 > ##MY.MACHINE##.27444: udp 11 (DF)
21:51:12.230000 ##MY.MACHINE##.1779 > 165.113.216.6.31335: udp 4
21:51:59.340000 165.113.216.6.52504 > ##MY.MACHINE##.27444: udp 16 (DF)
21:52:04.660000 165.113.216.6.52505 > ##MY.MACHINE##.27444: udp 25 (DF)
22:11:36.720000 165.113.216.6.52507 > ##MY.MACHINE##.27444: udp 15 (DF)
22:11:43.980000 165.113.216.6.52508 > ##MY.MACHINE##.27444: udp 15 (DF)
22:16:51.040000 165.113.216.6.52509 > ##MY.MACHINE##.27444: udp 11 (DF)
22:18:58.030000 165.113.216.6.52510 > ##MY.MACHINE##.27444: udp 11 (DF)
22:22:46.060000 165.113.216.6.52511 > ##MY.MACHINE##.27444: udp 11 (DF)
22:22:58.270000 165.113.216.6.52514 > ##MY.MACHINE##.27444: udp 25 (DF)
22:26:30.900000 165.113.216.6.52515 > ##MY.MACHINE##.27444: udp 11 (DF)
22:28:17.000000 ##MY.MACHINE##.1780 > 165.113.216.6.31335: udp 4
22:28:17.000000 ##MY.MACHINE##.1781 > 165.113.216.6.31335: udp 4
22:28:17.000000 ##MY.MACHINE##.1782 > 165.113.216.6.31335: udp 4
22:31:38.000000 ##MY.MACHINE##.1783 > 165.113.216.6.31335: udp 4
23:03:51.930000 165.113.216.6.52517 > ##MY.MACHINE##.27444: udp 11 (DF)
23:03:51.930000 ##MY.MACHINE##.1784 > 165.113.216.6.31335: udp 4
23:03:53.940000 165.113.216.6.52518 > ##MY.MACHINE##.27444: udp 11 (DF)
23:03:57.010000 165.113.216.6.52519 > ##MY.MACHINE##.27444: udp 15 (DF)
23:04:45.040000 165.113.216.6.52520 > ##MY.MACHINE##.27444: udp 61 (DF)
23:21:04.330000 165.113.216.6.52521 > ##MY.MACHINE##.27444: udp 11 (DF)
23:21:07.210000 165.113.216.6.52522 > ##MY.MACHINE##.27444: udp 15 (DF)
23:21:07.870000 165.113.216.6.52523 > ##MY.MACHINE##.27444: udp 23 (DF)
23:30:01.190000 165.113.216.6.52524 > ##MY.MACHINE##.27444: udp 11 (DF)
23:30:01.190000 ##MY.MACHINE##.1785 > 165.113.216.6.31335: udp 4
23:30:08.820000 165.113.216.6.52526 > ##MY.MACHINE##.27444: udp 15 (DF)
23:45:08.290000 165.113.216.6.52530 > ##MY.MACHINE##.27444: udp 15 (DF)
01:06:04.860000 165.113.216.6.52537 > ##MY.MACHINE##.27444: udp 11 (DF)
01:06:07.430000 165.113.216.6.52538 > ##MY.MACHINE##.27444: udp 16 (DF)
01:06:09.950000 165.113.216.6.52539 > ##MY.MACHINE##.27444: udp 26 (DF)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Related parts of my logs:
Apr 6 21:52:05 tomii-gate kernel: IP fw-out deny ppp0 TCP
193.26.175.63:34277 209.67.45.225:13009 L=40 S=0x08 I=54333 F=0x0000 T=255
Apr 6 21:52:05 tomii-gate kernel: IP fw-out deny ppp0 TCP
152.227.250.6:34533 209.67.45.225:50856 L=40 S=0x08 I=54589 F=0x0000 T=255
Apr 6 21:52:05 tomii-gate kernel: IP fw-out deny ppp0 TCP
212.138.249.60:34789 209.67.45.225:552 L=40 S=0x08 I=54845 F=0x0000 T=255
.
.
.
Apr 6 22:07:55 tomii-gate kernel: IP fw-out deny ppp0 TCP 46.7.71.7:50521
209.67.45.225:17926 L=40 S=0x08 I=5298 F=0x0000 T=255
Apr 6 22:07:55 tomii-gate kernel: IP fw-out deny ppp0 TCP
72.28.202.58:50777 209.67.45.225:45 fw-out deny ppp0 TCP
215.165.249.95:48932 209.67.45.225:52711 L=40 S=0x08 I=3709 F=0x0000 T=255
.
.
.
Apr 6 22:31:44 tomii-gate kernel: IP fw-out deny ppp0 TCP
91.86.116.82:19139 154.11.89.164:3888 L=40 S=0x08 I=46375 F=0x0000 T=255
Apr 6 22:31:45 tomii-gate kernel: IP fw-out deny ppp0 TCP
230.7.181.106:19395 154.11.89.164:23482 L=40 S=0x08 I=46631 F=0x0000 T=255
.
.
.
Apr 6 23:04:45 tomii-gate kernel: IP fw-out deny ppp0 TCP
212.218.143.80:7264 62.236.92.186:11648 L=40 S=0x08 I=40912 F=0x0000 T=255
Apr 6 23:04:45 tomii-gate kernel: IP fw-out deny ppp0 TCP
21.210.177.114:36222 199.174.197.117:51372 L=40 S=0x08 I=1752 F=0x0000 T=255
.
.
.
Apr 6 23:14:51 tomii-gate kernel: IP fw-out deny ppp0 TCP
102.241.197.103:34790 129.116.18.120:17040 L=40 S=0x08 I=11762 F=0x0000
T=255
Apr 6 23:14:51 tomii-gate kernel: IP fw-out deny ppp0 TCP 224.155.34.51:172
62.236.92.186:46889 L=40 S=0x08 I=5203 F=0x0000 T=255
.
.
.
Apr 6 23:28:45 tomii-gate kernel: IP fw-out deny ppp0 TCP
150.169.177.45:19214 24.141.1.55:17985 L=40 S=0x08 I=46985 F=0x0000 T=255
Apr 6 23:28:45 tomii-gate kernel: IP fw-out deny ppp0 TCP
238.31.244.59:19470 24.141.1.55:7161 L=40 S=0x08 I=47241 F=0x0000 T=255
Apr 7 01:06:10 tomii-gate kernel: IP fw-out deny ppp0 TCP
35.128.116.121:49889 129.111.249.53:9837 L=40 S=0x08 I=12673 F=0x0000 T=255
Apr 7 01:06:10 tomii-gate kernel: IP fw-out deny ppp0 TCP
212.104.245.43:50145 129.111.249.53:16172 L=40 S=0x08 I=12929 F=0x0000 T=255
Apr 7 01:06:10 tomii-gate kernel: IP fw-out deny ppp0 TCP
195.16.60.120:50401 129.111.249.53:35045 L=40 S=0x08 I=13185 F=0x0000 T=255
.
.
.
Apr 7 01:22:57 tomii-gate kernel: IP fw-out deny ppp0 TCP
70.41.138.30:49428 129.111.249.53:39115 L=40 S=0x08 I=12468 F=0x0000 T=255
Apr 7 01:22:57 tomii-gate kernel: IP fw-out deny ppp0 TCP
139.222.87.115:49684 129.111.249.53:11940 L=40 S=0x08 I=12724 F=0x0000 T=255
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Traceroute output:
[root@tomii-gate /root]# traceroute -ippp0 165.113.216.6
traceroute to 165.113.216.6 (165.113.216.6), 30 hops max, 40 byte packets
1 as4.anp.md.rcn.net (10.65.34.14) 444.075 ms 549.621 ms 389.890 ms
2 fe0-0-0.core1.anp.md.rcn.net (10.65.34.1) 239.821 ms 309.810 ms
399.957 ms
3 poet0-0-1.core1.col.md.rcn.net (207.172.9.197) 299.799 ms 569.799 ms
419.907 ms
4 poet6-0-0.core1.blb.md.rcn.net (207.172.19.170) 629.828 ms 309.800 ms
389.895 ms
5 poet1-0-0.core1.blba.md.rcn.net (207.172.9.53) 659.849 ms 569.777 ms
379.830 ms
6 poet4-0-1.core1.dcb.dc.rcn.net (207.172.9.49) 269.858 ms
poet5-1-0.core1.dcb.dc.rcn.net (207.172.19.178) 309.767 ms
poet4-1-0.core1.dcb.dc.rcn.net (207.17
2.19.218) 509.764 ms
7 pos1-1-0.border1.tcob.va.rcn.net (207.172.19.249) 519.685 ms 579.809
ms 389.905 ms
8 ge3-0-0.core1.tco.va.rcn.net (207.172.19.213) 389.821 ms 680.031 ms
669.662 ms
9 fe1-1-0.border1.tco.va.rcn.net (207.172.9.230) 609.829 ms 569.745 ms
469.894 ms
10 mae-e-1.e0.crl.com (192.41.177.104) 569.879 ms 439.767 ms 640.375 ms
11 careerblazer.atm-e.us.crl.net (165.113.99.37) 649.369 ms 390.484 ms
659.205 ms
12 165.113.216.6 (165.113.216.6) 379.852 ms 649.748 ms *
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
My firewall script:
ipfwadm -I -f
ipfwadm -I -p deny
ipfwadm -I -a accept -V 192.168.68.1 -S 192.168.0.0/16 -D 0.0.0.0/0
ipfwadm -I -a deny -V ##MY.MACHINE.IP.ADDR## -S 192.168.0.0/16 -D 0.0.0.0/0
-o
ipfwadm -I -a accept -V ##MY.MACHINE.IP.ADDR## -S 0.0.0.0/0 -D
##MY.MACHINE.IP.ADDR##/32
ipfwadm -I -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0
# ??
ipfwadm -I -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o
ipfwadm -O -f
ipfwadm -O -p deny
ipfwadm -O -a accept -V 192.168.68.1 -S 0.0.0.0/0 -D 192.168.0.0/16
ipfwadm -O -a deny -V ##MY.MACHINE.IP.ADDR## -S 0.0.0.0/0 -D 192.168.0.0/16
-o
ipfwadm -O -a deny -V ##MY.MACHINE.IP.ADDR## -S 192.168.0.0/16 -D 0.0.0.0/0
-o
ipfwadm -O -a deny -V ##MY.MACHINE.IP.ADDR## -S 0.0.0.0/0 -D 192.168.0.0/16
-o
ipfwadm -O -a accept -V ##MY.MACHINE.IP.ADDR## -S ##MY.MACHINE.IP.ADDR## -D
0.0.0.0/0
ipfwadm -O -a accept -V 127.0.0.1 -S 0.0.0.0/0 -D 0.0.0.0/0
ipfwadm -O -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o
ipfwadm -F -f
ipfwadm -F -p deny
ipfwadm -F -a masquerade -W ppp0 -S 192.168.0.0/16 -D 0.0.0.0/0
ipfwadm -F -a deny -S 0.0.0.0/0 -D 0.0.0.0/0 -o
#ipfwadm -F -p deny
#ipfwadm -F -a m -S 192.168.68.0/24 -D 0.0.0.0/0
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
