Re: redhat 9 machine pings out every 10 and 26 seconds

From: P Gentry (rdgentry1_at_cablelynx.com)
Date: 08/19/04 

Date: 19 Aug 2004 14:06:29 -0700

Alex Hunsley <lard@tardis.ed.ac.molar.uk> wrote in message news:<10i6p93q1j7am10@corp.supernews.com>...
> I have a redhat 9 machine behind a seperate hardware firewall. The redhat 9
> machine is pinging a single address on the internet (flintstone.astro.rug.nl)
> constantly - it will wait 10 seconds between ping 1 and ping 2, then 26 seconds
> between ping 2 and 3, then 10 seconds again.... etc.
>
> Is there any good awy to find out which process on the machine is doing this
> pinging? I've had a good look at netstat -a etc and can't see anything that
> looks relevant.
>
> Are there any good scripts for linux that will look for suspicious items in the
> environment (and tell me if the maachine has been exploited)?
>
> thanks
> alex

Have you monitored the process list? Booted without internet
connection? Sniffed the wire? Confirmed that running processes are
the ones you expect? In other words, precisely what have you tried?

Especially if no process _seems_ out of the ordinary, you may want to
try this:
http://www.chkrootkit.org/

BTW, from OpenRBL, flintstone.astro.rug.nl resolves to:
 Lookup 129.125.6.242 (flintstone.astro.rug.nl) in 20+10 Zones
  AS: 129.125.0.0/16 AS1103 SURFnet BV Utrecht
 Net 129.125/16 RUGNET Groningen, Groningen @rc.rug.nl
 Results: Negative=30, Positive=0 (2004-08-19 20:50:35 UTC)

[pbrain]$ ping -c4 129.125.6.242
PING 129.125.6.242 (129.125.6.242) from my.comp.at.home : 56(84) bytes
of data.
--- 129.125.6.242 ping statistics ---
4 packets transmitted, 0 received, 100% loss, time 3018ms

[pbrain]$ /usr/sbin/traceroute 129.125.6.242
traceroute to 129.125.6.242 (129.125.6.242), 30 hops max, 38 byte
packets
 1 10.1.48.1 (10.1.48.1) 8.541 ms 6.777 ms 7.560 ms
 2 10.100.3.2 (10.100.3.2) 7.873 ms 7.271 ms 7.848 ms
 3 10.100.3.17 (10.100.3.17) 66.021 ms 65.608 ms 70.394 ms
 4 500.serial2-6.gw7.dfw7.alter.net (157.130.206.241) 67.726 ms
67.525 ms 71
 5 0.so-5-2-0.cl2.dfw13.alter.net (152.63.99.254) 68.558 ms 69.296
ms 67.047
 6 0.so-3-0-0.xl2.dfw9.alter.net (152.63.103.221) 67.306 ms 71.248
ms 65.879
 7 pos7-0.br2.dfw9.alter.net (152.63.99.213) 68.024 ms 68.860 ms
107.460 ms
 8 208.50.134.17 (208.50.134.17) 69.819 ms 73.824 ms 68.977 ms
 9 so1-0-0-2488m.ar1.ams1.gblx.net (67.17.65.242) 188.951 ms
184.792 ms 183.
10 gigasurf-amsterdam.ge-2-1-0.ar1.ams1.gblx.net (208.49.125.50)
185.156 ms
        su 06) 182.948 ms 181.750 ms
11 p11-0.cr1.amsterdam1.surf.net (145.145.166.33) 199.614 ms
185.439 ms 184.
12 po1-0.cr2.amsterdam1.surf.net (145.145.160.2) 184.782 ms 185.246
ms 181.8
13 po0-0.ar5.groningen1.surf.net (145.145.163.18) 189.597 ms
191.982 ms 188.
14 rug-router.customer.surf.net (145.145.2.2) 198.017 ms 189.466 ms
 186.550
15 * * *
hits the wall and never picks up again -- seems following net/segment
likely blocking/dropping the packets.

How did you happen to notice this occurring in the first place?

prg
email above disabled