Hi Folks,

I have a problem. I am on RH7.3 with an ISDN connection to the net.

For the last few days I have noticed that I have a lot of traffic comming in and out of my machine when I connect to the net. There is slightly more going out than in.

I have gone through my system closing off all services (including the up2date agent) but this traffic starts as soon as I connect.

There is nothing in my mail queues (sendmail is now off) and I even rebooted the machine, smae problem.

The machine has been left running with the firewall set to block everything and all services stopped (still showing this traffic though) for about 36 hours and it is still happening.

Could anyone tell me how I find out what this traffic is and where it is going.

I run apache (now stopped) and noticed in the logs requests for .exe (looked very much like an attack on Front Page enabled servers - mine is not).

None of my logs are showing anything other than normal

I am on a static IP address and a domain is pointed to this. I am a newbie (Home experimenter) and this problem is cuasing me alarm and making my net connection virtually useless.

Can you run tcpdump and paste an output of the traffic here?

Hi there,

Thanks for the reply - tcpdump is wierd ...

22:14:48.871771 pc121154.kyunghee.ac.kr.radius > mrl.claranet.co.uk.radius: rad-#0 41 [id 0] Attr[ Term_action Term_action Term_action Term_action Term_action Term_action Term_action Term_action Term_action Term_action Term_action

so on and so forth ad infinitum!!

the reference to Clara net ties with an OLD username for my dialup account?

Cheers again,

Mike

BTW; that address is a Korean Uni!

This is starting to look bad

Ive never seen that Term_action b4, and find almost nothing on google with it... I did find these posts, but cant read the language and babelfish doesnt help... It does look like a hack though ;(

http://www.linux.cz/lists/archive/linux/164609.html
http://www.linux.cz/lists/archive/linux/164526.html

Id unplug your system from the internet and grab what you need and do a reinstall from scratch.

Thanks for your efforts, it is appreciated

I was afraid it was comming to that (reinstall)! Mind you, it is a good excuse to get RH8 I guess.

Thanks again

It sounds to me like you've got the linux slapper worm. Check out:
http://www.symantec.com/avcenter/ven...pper.worm.html
http://www.symantec.com/avcenter/ven...slapper.d.html

Look for the files specified in here to find out if that's what it is. Supposedly
it modifies /etc/crontab so that it will be loaded sometime in the future. It also tries to write to some binary files so a re-install will likely be necessary.

I got infected with this worm too and shortly after infection my tcpdump
started printing out that garbage as well.

Scott

Thanks for the replies.

I have done a complete reinstall of the system (including a new disk as the old one was dogey).

I had trouble getting online again and to cut a long story short as soon as my machine connected using the my Static IP address the same thing started to happen.

I used Ethreal to look at the packets and there s a lot of activity on the Radius port (1812) and the ICMP port - both UDP, the source host's are many and varied. I am confussed, I do not know too much about this type of thing.

I have closed down ALL services and firewalled. I have set some of the addresses as hostile but there are too many different addresses to add manually.

I can not find out how to shut this traffic down and am very reluctant to reinstall again, especially when it only happens with this one IP address?

Any thoughts or suggestions very welcome indeed.

Best wishes,
Mike