GeneralThis forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Unfortunately to use the internet i have to use my windows partition. I have been looking at my firewall logs today and have seen
-a DoS attack
-an Attacker Seal attack
my firewall dealt with both of these attacks but i am worried about what i see in the traffic logs. I am continually sending a UDP package to an IP address (always the same) on port 137, the machine then reciprocates a package on 138. The application involved is ntoskrnl.exe
I'd like to be running linux when i see things like this happening but unfortunately i have still to configure red hat to my wireless network.
Has ayone heard of a tool that would cause this UDP exchange to occur ? What's the best course of action from here ?
thanks, i already blocked it but i can see in the logs it still keeps attempting to send - even after a reboot. is this a sign that my machine has already been compromisied ?
Hard to say. Windows netbios service runs on port 137, so it could be legitimate traffic. If your machine is part of a network with multiple windows systems, then you should expect to see lots of it. If you have any doubts whatsoever though, just un-plug the machine from the network until you're sure it's clean.
Hopefully you have some type of Antivrus software, so make sure your virus definitions are up to date If they're not, you can download the definitions using another computer and transfer them on a floppy. If you don't have AV, this would be a pretty subtle hint that you should buy one. Then do a scan of your entire system. There are also some freeware trojan detectors that you can find with a google search.
Are you behind a router? or a hardware firewall other than software?
What kind of troubles are you having with your wireless network with redhat?
what brand is it?
Hopefully it isn't something like belkin... :-o but even that is better than nothing.
there is a nice program called Stinger.exe that checks for the more common worms/viruii/trojans and variants. we run it on my job (over 6,000 hosts with public IPs all connected to the internet with no firewall unless the user installs one).
Stinger.exe, ZoneAlarm, Virus Scan (McAfee) and a Mozilla install are our weapons. Most of our problems recently have come from IE letting web pages and banner ads screw around with the file system (oh and file sharing software that comes with all types of malware/spyware/adware).
here is the link to stinger: http://vil.nai.com/vil/stinger/ it's from a trusted company (NAI) the same people that make McAfee virus scan.
thanks, ill check that out, i ran spybot but i didn't find anything.
Im not in a network, - only me and the router. Im behind 3 firewalls. WindowsXP wall, router firewall, and a commercial wall. I think i know how to sort out linux with the internet, its just a case of downloading some drivers, but i havn't had the chance to do it yet. Kinda chuffed DoS didnt even touch my system
Distribution: Slackware, Windows, FreeBSD, OpenBSD, Mac OS X
Posts: 5,296
Rep:
the application ntoskrnl.exe is your windows kernel. if a virus somehow got in and renamed itself or attached itself to the kernel, i'd expect boot problems. with the file protection implemented in win2k sp2, it could very well be possible.
edited
felt i should elaborate, the file protection put on sys files w/ sp2 was put in place to protect the kernel & all sys files. if the kernal is altered, it shows up w/ a diff. name and boot.ini is ediited to boot from the clean kernel. so in theory the alleged virus could be running and active, as, ntoskrnl.exe. i'd check my boot.ini file and see what it says, i'd also follow the above recomendations as to anti-virus software. i have not yet, but, will search the security forums on this subject, as they probably have more useful info. good luck.
With all the firewalls you have with the exception of the windowsxp firewall.. Id suspect that you're probably safe. I don't think anyone would have the time to hack into your system unless you seriously made them angry or you have something they just gotta have.
If I understand how long it takes to hack through most routers. You're probably fine
I would sort out your issues with linux and the internet though asap.
thats true, its hardly worth the effort. But i was reading yesterday that becos wireless netorks operate on the unlicensed spectrum of 2.4 or 5 ghz interference by mobile phones and microwaves can cause what apears to be DoS attacks.
Im thinking the attacks are probly this interference as only a really stupid hacker wud keep DoS'ing my system when it acheives absolutely nothing. You are right about me getting online with linux - maybe this wkend . . .
There are many virus variants of the mblaster and it could still possibly be one of those. There is even on e that will destroy your dns [just to annoy you].
Originally posted by dave bean
Im thinking the attacks are probly this interference as only a really stupid hacker wud keep DoS'ing my system when it acheives absolutely nothing. You are right about me getting online with linux - maybe this wkend . . .
If it was interference from other wireless devices like phones or microwaves you wouldn't see packets addressed to port 137 or any port whatsoever. I'm not an electrical engineer, but I don't think your microwave cooks food by sending netbios packets at it Usually with wireless interference either you get really bad signal degradation, to the point where it brings your network to a crawl or overloads that portion of the spectrum and you get something similar to a syn-flood. Either way you wouldn't be seeing structured TCP/IP packets.
I would put my money on a misconfigured system or viral-generated traffic. If you really want to find out, you can get Linux up and turn on tcpdump/ethereal and take a look at the packets.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.