Re: Under Attack!?! Please HELP!
From: David (davidwnh@adelphia.net)Date: 10/10/02
- Next message: David: "Re: Zone Alarm Update Problems"
- Previous message: Berk S. Daemon: "Re: Firewall Recommendations?"
- In reply to: Jim Beam: "Under Attack!?! Please HELP!"
- Next in thread: Jim Beam: "Re: Under Attack!?! Please HELP!"
- Reply: Jim Beam: "Re: Under Attack!?! Please HELP!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "David" <davidwnh@adelphia.net> Date: Wed, 09 Oct 2002 23:51:51 GMT
Figure out what programs are running on your machine and ultimately which
one is causing all the traffic. Maybe by shutting down each one by one until
the outbound traffic slows or stops. Could be a worm, trojan, spyware, or
something else you are purposely running which uses port 80. The quantity of
syn_sent status entries in netstat is a result of filtering these addresses
going outbound. You are in effect "syn attacking" yourself. These half open
connections can build up and ultimately crash your machine because you run
out of sockets. Investigate the destination addresses, it might give you a
clue as to what program or type of program at least is creating the traffic.
"Jim Beam" <JimBeam@nonet.com> wrote in message
news:cB0p9.2495$tu3.144503953@newssvr14.news.prodigy.com...
> In the last couple of days, I have been seeing my router go down often. I
> traced it to high outbound traffic on the eth0 interface on my Redhat 7.3
> Linux server (www.xxxx.com).
>
> If I setup my ipchains as:
> :output DENY
> then, the outbound traffic stops. But the problem is that it also
disables
> my Apache http server, ftp server, etc..
>
> When I did a netstat, I see this:
> Proto Recv-Q Send-Q Local Address Foreign Address State
> tcp 0 0 *:32768 *:* LISTEN
> tcp 0 0 localhost.localdom:8007 *:* LISTEN
> tcp 0 0 *:sunrpc *:* LISTEN
> tcp 0 0 *:http *:* LISTEN
> <snip>
> tcp 0 0 *:https *:* LISTEN
> tcp 0 1 www.xxxx.c:41938 185.185.102.130:http SYN_SENT
> tcp 0 1 www.xxxx.c:42005 185.185.102.197:http SYN_SENT
> <snip>
>
> I see a lot entries similar to the last 2 entries above and suspect that
> this is causing problems. I tried restricting all outbound to
> 185.0.0.0/255.0.0.0. But, the problem is that the attack seems to come
from
> different IPs at different times.
>
> Note that I do not have any web browsers open on my linux machine, so no
> traffic should go from my machine to the http port on the 185.185.x.x
> machines.
>
> Is this some worm in my RH system? Any help is appreciated.
>
> -Mr. Desperate
>
>
- Next message: David: "Re: Zone Alarm Update Problems"
- Previous message: Berk S. Daemon: "Re: Firewall Recommendations?"
- In reply to: Jim Beam: "Under Attack!?! Please HELP!"
- Next in thread: Jim Beam: "Re: Under Attack!?! Please HELP!"
- Reply: Jim Beam: "Re: Under Attack!?! Please HELP!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
