Re: Large, constant incoming traffic
On torsdag 13. mai 2004, 20:15, Lars Ellenberg wrote:
> > 19:41:29.675637 217.77.34.162.2090 > 234.195.198.113.1434: udp 376
> > [ttl 1]
>
> ok, chances are that 217.77.34.162 runs an unpatches MS-SQL server,
> was infected, and now tries to compromise the world, and its own
> subnet, where you happen to be in.
Oh, I see. But one thing I do not understand, it doesn't seem like this
traffic is directed at me, since it's not my address that's the
destination...? Are they routing their traffic through me or something?
> iirc there has been some worm targetting Microsoft SQL server early
> 2003, maybe it is still active sometimes, maybe there is a new one.
OK. I tried nmap -O 217.77.34.162 but got nothing. I have found that
they are running IIS on their web server though. And I can't find any
hosts in that company's netblock.
>
> you are "safe", but this should show in some "DROP" or "REJECT"
> statistics. have a look at the output of "iptables -vnL"
OK. Very little there... It is not very detailed, since I'm using -P, is
that a Bad Idea?
This is what it says:
Chain INPUT (policy DROP 157K packets, 10M bytes)
That's still nowhere near the total amount of data I've been getting.
There's of course a lot more, but nothing that seems relevant.
BTW, would I have anything to loose by going
iptables -I INPUT -i eth0 -s 217.77.34.162 -j REJECT
> you want to tell the guy responsible for 217.77.34.162, and the
> hostmaster at easynet.no, that they have a compromised machine, and
> should take it offline.
Hm, OK, but I need to feel a little more certain about what's going
on... Given I find no signs that the machine is actually up, and that I
still don't understand the traffic pattern,
> and that you want them to pay for the traffic they are causing you.
Well, it is more the time I've been wasting, I spent almost two full
days, in a very critical period... But I do not expect to be charged
for the bandwidth, no...
Best,
Kjetil
--
Kjetil Kjernsmo
Astrophysicist/IT Consultant/Skeptic/Ski-orienteer/Orienteer/Mountaineer
kjetil@kjernsmo.net webmaster@skepsis.no editor@learn-orienteering.org
Homepage: http://www.kjetil.kjernsmo.net/ OpenPGP KeyID: 6A6A0BBC
Reply to: