possible security breach
 

Hi folks,

I have just come hoe, and notice my modem and router lights going like mad.

Checked the logs, noth major I had a visit from google bot over night, and a yahoo bot.

Killed all of my port forwards on the router, still flashing like mad.

So me in nievity, thinks its out going. How do I check that?

...PAnic what can I do.

Sounds like a power surge. If you haven't done so power down your modem and router wait 15 seconds and power them back up.

How about: $ netstat -tn
?

So you are running something potentially vulnerable, like a server.

It would be helpful to future readers if you posted a lot more information: Distro, services running (apache, ssh, telnet (the gods forbid!) etc.) See similar threads in this forum.

My suggestions:
0] Stay calm.
1] Unplug the network, before you are blacklisted, or distribute more spam and prOn.
2] Do NOT reboot or reinstall.
3] Wait for someone who knows more about this than I do to come here and help you. unSpawn, where are you? ;)

Rebooting / reinstalling may destroy the evidence you need to find out how / when they got in (if they did at all).

Be patient.

But if you are worried, please take your site offline NOW.

Like the second poster, this sounds like the router/modem may need to be power-cycled, especially since that appears to be the only symptom. But, as anomie stated, a proper nestat should be run (on each machine) to determine what may be going on. I almost never factor the state of my router lights to suspicious activity, since they are always lit anyways (I keep my machines on all the time).

Note that skiddie scripts will probably keep hammering the network with ssh brute force attempts even after the router is recycled...they are that dumb.

WTF?
i am no security expert but maybe the modem driver went
bonkers and a reboot will cure the problem

What type of modem are you talking about? 56/128 modem? DSL modem? Is this a modem/router combo?

Don't reboot the machine(s). If both (if you've one of each) are showing lit up constantly, you DO have an issue, IMO. Just make sure you aren't streaming music or using some such network multimedia app. Check all machines' network connections (before getting genuinely alarmed). I'm betting its something you may have left running and aren't accounting for.

WHY?

Modem and router have different scopes. A modem will be on a subnet to your ISPs head-end, DSLAM or whatever else equivalent. Basically (think OSI) the device doesn't concern itself with whatever traffic or traffic content goes up and down the line: it just establishes a connection between endpoints and that's about it (OK, except if somebody finds herself onto that ISP subnet and is fscking around with exposed services ;-p, very unlikely). Not telling which lights (power, upstream, downstream, link state,) go nuts doesn't help much. Modem trouble, as I've experienced it, usually points to ISP-side (common), link carrier (not that rare but depending) or physical cable (rare) or equipment (very rare and I'm no Cisco wiz) probs.

I agree that this, together with router probs, looks more like a black-out situation than anything else. If those devices are accessable (SNMP, telnet, logs over HTTP) then getting log data could help. If they don't then I agree you should move on to whichever sources you actually can get data from to establish a timeline of events before going bezerk.


Rebooting a device makes you lose all volatile data (otherwise loosely described as "evidence") like process, network and user data. You'll want to save those listings just in case.


When I'm not around you may safely assert I'm busy elsewhere. Luckily I'm not the only one who can deal with incident response in a structured way.

right ok, this is to all of you.

I have this forum setup to email me, when someone replie. it didn't:(

Whatever is do this is saturatinfg my network :(

read all the posts
 

Thanks ! I didn't get a mail to say u'd answered:

I'll take them sorta as thay came. (I've unpluged the server box, from network) now.

netsat -tn produced
I have already tried turning the modem and router off.

they being virginmedia uk, and the router is a netgear wgr614

The services I'm running are:
ssh
mail (Axigen) Apache
icecast
and ftp on port 90-91

Recently like in the last 2 days been gettin google bot (66.249.71.12)
hanging around for hours.

I do notice that you're sending a lot of requests to different SMTP (mail) servers. Does that seem unusual?

sorry ubuntu jaunty



Be patient.

very

I'm sure others will have better advice for comprehensive analysis and response than I will, but...

I'd recommend that you keep that Ubuntu box physically unplugged (ethernet cable) from the network. You're going to get blacklisted and/or contacted by your ISP regarding abuse.