|
Bad message from freshmeat :(
Does anyone know how I got this message:
"We encountered an error Your IP address has been banned from this site for the following reason: Excessive or malicious usage, 10,288 pages on Sat, Sep 20th" I certainly havent done this on purpose :( can someone be masquerading as me? I did visit the site to look for wine but that was all, no downloads I needed so I left ):( |
Do you use dial-up? If so, disconnect then reconnect. You'll get a different IP address, one that's not "tainted" in their eyes.
edit: On a side note, if you're not on dialup, make sure you don't have something on your machine doing this evil. |
Is your IP static and if so have you disconnected since September the 20th???
I was going to say you could email them about this but you cant access there site to get an email address to contact them. If you want I can get it for you. |
Thanks for the reply.
My last reboot was saturday around 8pm, I am on cable so I asume that my IP is static. How can I check my outgoing traffic and whatnot? I run gtk-gnutella almost continuously. I am behind a firewall but I opened my gnutella port to the whole world for a while as it made a nice smiley face in gnutella! Then I thought twice, I changed the port number it uses and closed all ports again. But I am still recieving lots of messages related to the old port number, like this one: Sep 21 05:52:49 darkstar kernel: Connection attempt (UNPRIV): IN=eth0 etc..... 80% of the messages in /var/log/messages are like this!!!!! I think I've done a bad thing........ Am I stupid or just stupid!:D |
Most cable companies give you dynamic IP addresses, technically. I don't know how it works in the UK, but my "DHCP" address here in Calif. hasn't changed in about 9 months.
Can you paste the whole line of that message? It's a iptables log message, it might give some clues. One nasty caveat to the whole P2P thing is the amount of nasty people who hide things in them. You might even think about adding an iptables rule to block you from going to freshmeat.net, and logging the block. You'll be able to see if your machine is doing a DoS attempt. |
Thanks again,
I just rebooted after turning my modem off then back on and am still getting messages: Sep 24 02:51:28 darkstar kernel: Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:08:a1:24:a9:17:00:05:74:f7:80:70:08:00 SRC=24.218.53.32 DST=81.99.25.85 LEN=48 TOS=0x00 PREC=0x00 TTL=104 ID=58116 DF PROTO=TCP SPT=13350 DPT=8436 WINDOW=16384 RES=0x00 SYN URGP=0 Sep 24 02:51:28 darkstar kernel: usb-uhci.c: $Revision: 1.275 $ time 00:02:40 Sep 5 2003 Sep 24 02:51:28 darkstar kernel: usb-uhci.c: High bandwidth mode enabled Sep 24 02:51:28 darkstar kernel: usb-uhci.c: v1.275:USB Universal Host Controller Interface driver Sep 24 02:51:33 darkstar apmd[1423]: Version 3.0.2 (APM BIOS 1.2, Linux driver 1.16) Sep 24 02:51:33 darkstar apmd[1423]: Charge: * * * (-1% unknown) Sep 24 02:51:34 darkstar /usr/sbin/gpm[1429]: imps2: Auto-detected intellimouse PS/2 Sep 24 02:51:35 darkstar kernel: 0: nvidia: loading NVIDIA Linux x86 nvidia.o Kernel Module 1.0-4496 Wed Jul 16 19:03:09 PDT 2003 Sep 24 02:51:35 darkstar insmod: Warning: loading /lib/modules/2.4.20/kernel/drivers/video/nvidia.o will taint the kernel: non-GPL license - NVIDIA Sep 24 02:51:35 darkstar insmod: See http://www.tux.org/lkml/#export-tainted for information about tainted modules Sep 24 02:51:35 darkstar insmod: Module nvidia loaded, with warnings Sep 24 02:51:36 darkstar kernel: Linux agpgart interface v0.99 (c) Jeff Hartmann Sep 24 02:51:36 darkstar kernel: agpgart: Maximum main memory to use for agp memory: 439M Sep 24 02:51:36 darkstar kernel: agpgart: Detected Via Apollo Pro KT266 chipset Sep 24 02:51:36 darkstar kernel: agpgart: AGP aperture is 64M @ 0xf8000000 Sep 24 02:51:36 darkstar kernel: bttv0: PLL: 28636363 => 35468950 ... ok Sep 24 02:51:36 darkstar modprobe: modprobe: Can't locate module char-major-81-1 Sep 24 02:51:39 darkstar gdm[1444]: run_pictures: /home/tuttle/.gnome2 is writable by group. Sep 24 02:51:51 darkstar gdm[1444]: gdm_slave_session_start: /home/tuttle/.gnome2 is writable by group. Sep 24 02:51:51 darkstar gdm[1444]: gdm_auth_user_add: /home/tuttle is writable by group. Sep 24 02:51:52 darkstar gconfd (tuttle-1494): starting (version 2.2.0), pid 1494 user 'tuttle' Sep 24 02:51:52 darkstar gconfd (tuttle-1494): Resolved address "xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only config source at position 0 Sep 24 02:51:52 darkstar gconfd (tuttle-1494): Resolved address "xml:readwrite:/home/tuttle/.gconf" to a writable config source at position 1 Sep 24 02:51:52 darkstar gconfd (tuttle-1494): Resolved address "xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only config source at position 2 Sep 24 02:51:56 darkstar kernel: cdrom: This disc doesn't have any tracks I recognize! Sep 24 02:52:18 darkstar kernel: Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:08:a1:24:a9:17:00:05:74:f7:80:70:08:00 SRC=24.170.169.48 DST=81.99.25.85 LEN=48 TOS=0x00 PREC=0x00 TTL=111 ID=49090 DF PROTO=TCP SPT=53719 DPT=8436 WINDOW=8192 RES=0x00 SYN URGP=0 Sep 24 02:53:20 darkstar kernel: Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:08:a1:24:a9:17:00:05:74:f7:80:70:08:00 SRC=80.3.143.212 DST=81.99.25.85 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=21816 DF PROTO=TCP SPT=3490 DPT=8124 WINDOW=16384 RES=0x00 SYN URGP=0 Sep 24 02:54:20 darkstar kernel: Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:08:a1:24:a9:17:00:05:74:f7:80:70:08:00 SRC=12.246.156.186 DST=81.99.25.85 LEN=48 TOS=0x00 PREC=0x00 TTL=106 ID=6758 DF PROTO=TCP SPT=4335 DPT=8124 WINDOW=16384 RES=0x00 SYN URGP=0 Sep 24 02:55:20 darkstar kernel: Connection attempt (UNPRIV): IN=eth0 OUT= MAC=00:08:a1:24:a9:17:00:05:74:f7:80:70:08:00 SRC=24.59.77.84 DST=81.99.25.85 LEN=48 TOS=0x00 PREC=0x00 TTL=110 ID=1190 DF PROTO=TCP SPT=4444 DPT=8124 WINDOW=16384 RES=0x00 SYN URGP=0 Notice how the first message is before the system has fully booted! Is it just harmless requests from gnutella clients? I wonder.... Thanks for the tip on the use of iptables:) I'll try that in the morning, will get back to you. night night - *shutdown -h now* |
First things first, turn off gnutella for at least a day. You should have your standard gnutella packets go away after an hour or so. If these packets continue 24 hours after you kill gnutella, you can be assured that something is not right at all. The gnutella network should figure out that you're not there by then, and stop sending traffic your way.
Try that iptables rule and see what it turns up. Another trick is to add an iptables rule to the system that blocks and logs ALL outgoing traffic. See what ports/ips are being used by your system. Sure, you won't be able to go anywhere while the rule is up, but it will show malicious activity right quick. I've used that trick a few times to track down evil on various machines. Good luck. |
Thanks very much, will do.
edit: By the way, I had changed the port number from 8436 (defaut) to 8124 and changed the lines: gnutella-svc 8436/tcp #gnutella-svc gnutella-svc 8436/udp #gnutella-svc to: gnutella-svc 8124/tcp #gnutella-svc gnutella-svc 8124/udp #gnutella-svc in /etc/services (is that the right thing to do?) I am still not too shure what I am doing with iptables, I am using arno's iptables firewall at the moment (as recommended by: http://simplylinux.punted.net/Usingiptables.html ) and have learned quite alot by reading and adjusting the rules in /etc/iptables-firewall.conf (which is part of arno's firewall). I am not too sure how to block everything going out though, also I am not sure whick log config file to adjust (I asume it can be done from the firewall cofig script which does contain logging options). If anyone can clarify these points it would be much appreciated :) |
| All times are GMT -5. The time now is 01:35 AM. |