[lug] wild activity, don't know why.

Ferdinand Schmid fschmid at archenergy.com
Thu Aug 9 12:05:31 MDT 2001 

"Michael J. Hammel" wrote:
> 
> Thus spoke Holshouser, David
> > I downloaded iptraf and it looks like there is nothing but ARP going across
> > the pipe. I can't tell the to or from addresses though. Is there a way to
> > see if I am the one generating all the arp traffic?
> 
> Sure, shut down the interface.  ARP requests are software driven and if the
> inet connection is down, it won't go out.
> 
> I did this same test here in Houston (Time/Warner cable) and found the
> activity light stayed pretty active (though not solid).  There is a lot of
> probing going on right now.
> 
> > Perhaps I've been hacked and I'm being used to DOS the local pipe by ARPing
> > it to death.
> > Or maybe someone else has fallen victim to this fate.
> 
> It's someone else, more than likely, if you're on a Linux box.
Unless there are lots of dangerous daemons running.  Check then judge.

> 
> > This doesn't appear to be CodeRed to me.
> 
> It is.
> 
> > I did get 375 hits from it yesterday and already 45 today, but that doesn't
> > account for a constantly steady activity light.
> 
> I'm running KRUD and set up my gateway box to not accept any incoming
> connections via isinglass (very cool stuff, if you haven't tried it - it's
> from tummy.com).  Incoming connection attempts get logged as rejected in
> /var/log/messages.  Looking though those I found the IP addresses of the
> hosts who were probing me (which recently turned out to be a bunch on the
> *inside* of Time/Warners network address block).  I telnet'd to those IP
> addresses on port 80 and did "get html", which produces an error and a note
> on which server is running.  Guess what - they're all MS IIS servers.  It's
> code red doing its thing.
> 
> > > further out. Almost all the hits I have been getting are on
> > > port 80 and
> > > from the 65.x.x.x address block (where my IP resides).
> 
> Ditto, but on the 66.x.x.x block which is Time/Warners.
<snip>
Not so fast - unless Time Warner owns Sprint they don't own the entire
66.x.x.x network.  My IPs are in this range and my ISP is Sprint
(Broadband).


-- 
Ferdinand Schmid
http://www.archenergy.com
303-444-4149 x231

More information about the LUG mailing list