LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Network Traffic problem..Being hacked? (https://www.linuxquestions.org/questions/linux-networking-3/network-traffic-problem-being-hacked-250455/)

AmdMhz 11-02-2004 10:25 PM
Network Traffic problem..Being hacked?
 
HI all... I have been looking at my router lights going nuts everytime I start my Slackware system. When I turn the system off, my router goes back to normal. Something seems to be hammering me but in Netstat I do not see anything strange. How can I protect my Slackware 10 system from this? This is slowing my system way down along with my DSL connections. Any suggestions will be appreciated.

Thanks
Amdmhz

fblucher 11-02-2004 11:06 PM
Run a "tcpdump -i <outbound interface> -n" and have a look at the traffic.

Seeya,
Finn.

AmdMhz 11-02-2004 11:18 PM
Thanks for replying. Being new to this tcpdump , what is it that I am looking for in the log? Thanks

fblucher 11-02-2004 11:27 PM
tcpdump will show you all the traffic that is comming and going from the interface you specified. Look at the traffic and see if there's traffic you don't like in there. Feel free to read the man page to get the syntax of the output.

Seeya,
Finn.

tangle 11-02-2004 11:28 PM
tcpdump is a port sniffer. Look at what port the traffice is transmitting on. Some worms and viruses use certain ports to do attackes.

AmdMhz 11-03-2004 10:25 PM
If I do see something strange how do I shut that port down so my network traffic calms down?

fblucher 11-03-2004 10:29 PM
Show us what strange is.

AmdMhz 11-03-2004 10:33 PM
Here is some of the dump:

23:31:06.131588 IP 192.168.1.12.33061 > 192.168.1.102.445: P 27920:28000(80) ack 57586 win 4802 <nop,nop,timestamp 38795409 688201900>
23:31:06.132013 IP 192.168.1.102.445 > 192.168.1.12.33061: P 57586:57751(165) ack 28000 win 4344 <nop,nop,timestamp 688201900 38795409>
23:31:06.132654 IP 192.168.1.12.35202 > 192.168.1.101.445: P 27920:28000(80) ack 51653 win 5360 <nop,nop,timestamp 38795409 3885013>
23:31:06.132870 IP 192.168.1.101.445 > 192.168.1.12.35202: P 51653:51801(148) ack 28000 win 64575 <nop,nop,timestamp 3885013 38795409>
23:31:06.168502 IP 192.168.1.12.33061 > 192.168.1.102.445: . ack 57751 win 4802 <nop,nop,timestamp 38795413 688201900>
23:31:06.168522 IP 192.168.1.12.35202 > 192.168.1.101.445: . ack 51801 win 5360 <nop,nop,timestamp 38795413 3885013>
23:31:06.379901 IP 192.168.1.12.35202 > 192.168.1.101.445: P 28000:28080(80) ack 51801 win 5360 <nop,nop,timestamp 38795434 3885013>
23:31:06.380325 IP 192.168.1.101.445 > 192.168.1.12.35202: P 51801:51949(148) ack 28080 win 64495 <nop,nop,timestamp 3885015 38795434>
23:31:06.380382 IP 192.168.1.12.35202 > 192.168.1.101.445: . ack 51949 win 5212 <nop,nop,timestamp 38795434 3885015>
23:31:06.380922 IP 192.168.1.12.33061 > 192.168.1.102.445: P 28000:28080(80) ack 57751 win 4802 <nop,nop,timestamp 38795434 688201900>
23:31:06.381390 IP 192.168.1.102.445 > 192.168.1.12.33061: P 57751:57916(165) ack 28080 win 4344 <nop,nop,timestamp 688202150 38795434>
23:31:06.381436 IP 192.168.1.12.33061 > 192.168.1.102.445: . ack 57916 win 4802 <nop,nop,timestamp 38795434 688202150>
23:31:06.381894 IP 192.168.1.12.33061 > 192.168.1.102.445: P 28080:28160(80) ack 57916 win 4802 <nop,nop,timestamp 38795434 688202150>
23:31:06.382318 IP 192.168.1.102.445 > 192.168.1.12.33061: P 57916:58081(165) ack 28160 win 4344 <nop,nop,timestamp 688202151 38795434>
23:31:06.382955 IP 192.168.1.12.35202 > 192.168.1.101.445: P 28080:28160(80) ack 51949 win 5360 <nop,nop,timestamp 38795434 3885015>

AmdMhz 11-03-2004 10:47 PM
My slack box above is hittting all IPs and several different port. Below is my Knoppix Dump which is only going to one other IP address.

nop,nop,timestamp 38859133 688839293>
10:40:40.792319 IP 192.168.1.12.33061 > 192.168.1.102.445: P 12240:12320(80) ack 25246 win 4802 <nop,nop,timestamp 38859133 688839293>
10:40:40.793923 IP 192.168.1.102.445 > 192.168.1.12.33061: P 25246:25411(165) ack 12320 win 4344 <nop,nop,timestamp 688839294 38859133>
10:40:40.828353 IP 192.168.1.12.33061 > 192.168.1.102.445: . ack 25411 win 4802 <nop,nop,timestamp 38859137 688839294>
10:40:41.052888 IP 192.168.1.12.33061 > 192.168.1.102.445: P 12320:12400(80) ack 25411 win 4802 <nop,nop,timestamp 38859159 688839294>
10:40:41.053539 IP 192.168.1.102.445 > 192.168.1.12.33061: P 25411:25576(165) ack 12400 win 4344 <nop,nop,timestamp 688839554 38859159>
10:40:41.053676 IP 192.168.1.12.33061 > 192.168.1.102.445: . ack 25576 win 4802 <nop,nop,timestamp 38859159 688839554>
10:40:41.053789 IP 192.168.1.12.33061 > 192.168.1.102.445: P 12400:12480(80) ack 25576 win 4802 <nop,nop,timestamp 38859159 688839554>
10:40:41.055399 IP 192.168.1.102.445 > 192.168.1.12.33061: P 25576:25741(165) ack 12480 win 4344 <nop,nop,timestamp 688839556 38859159>
10:40:41.088377 IP 192.168.1.12.33061 > 192.168.1.102.445: . ack 25741 win 4802 <nop,nop,timestamp 38859163 688839556>

Sorry I am new to this. Just trying to understand why My slack box is making my router lights go crazy ;)

AmdMhz 11-03-2004 11:02 PM
Thanks for your help. I found the problem.. It is SMB4k ... That program is wigging stuff out. I am going to get rid of it and just do my shares via command line. Thanks for your help all.


All times are GMT -5. The time now is 08:54 AM.