LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 02-17-2004, 01:49 PM   #1
kaz4u2dig
Member
 
Registered: Jan 2004
Distribution: Suse Pro 9.0
Posts: 84

Rep: Reputation: 15
Being Hacked Please Help Friends...


I have been trying to get my linux box up and running for a while and I got stuck on some hardware issues. I am ready to begin again but:
This is the message I sent to my ISP.

I have a Linux machine and two XP machines, a belkin router, and a generic modem (grey top & black face).
I put my upstairs machine on DMV for gaming purposes and some remote machine software
well my internet has been going in and out. One minute its working the next its not.
I talked to RR support and they did a test on my line directly to a computer. I have
reset the modem, router, and computers exactly as needed, and still the connection will
work for a couple hours and then it won't work for a couple hours. I looked in my router
log and it tells me this:
>Security log for my Router
>2003/12/02 08:16:43 DHCP Client : Send Discover
>2004/02/16 12:58:32 DHCP Client : Receive Offer from 24.93.41.146
>2004/02/16 12:58:37 DHCP Client : Send Request, Request IP = XX.XX.XX.XX
>2004/02/16 12:58:37 DHCP Client : Receive Ack from 24.93.41.146, Lease time
>= 86394
>2004/02/16 12:50:37 192.168.2.74 login successful
>2004/02/16 12:56:17 DHCP Client : Send Release
>2004/02/16 12:56:26 DHCP Client : Send Discover
>2004/02/16 12:56:26 DHCP Client : Receive Offer from 24.93.41.146
>2004/02/16 12:56:32 DHCP Client : Send Request, Request IP = XX.XX.XX.XX
>2004/02/16 12:56:32 DHCP Client : Receive Ack from 24.93.41.146, Lease time
>= 85783
>2004/02/16 12:56:47 DHCP Client : Send Release
>2004/02/16 12:56:56 DHCP Client : Send Discover
>2004/02/16 12:56:56 DHCP Client : Receive Offer from 24.93.41.146
>2004/02/16 12:57:02 DHCP Client : Send Request, Request IP = XX.XX.XX.XX
>2004/02/16 12:57:02 DHCP Client : Receive Ack from 24.93.41.146, Lease time
>= 85753

Now this person (24.93.41.146) sent some packets (Ack) to block my signal...
or something like that...
I looked it up on google and I found this document:

<<<<<<<um... maybe i'm missing the clue here, but if the router vendors add
something that shuts down an interface if the SYN/SYN-ACK/ACK ratio
becomes too bad make it *easier* for me if i'm doing a denial of service
attack on a host?

instead of denying service to a given host, all i have to do is drive
the router into alarm mode so it shuts off the interface and then i get
to deny service to an entire segment and everything downstream from that
segment...>>>>>>>
This person (24.93.41.146) has been denying me service and I don't know how
to stop him. I have traced that IP address and it says he's a Road Runner Customer.
Please help me stop this malicious act. I would like to press charges if possible.

CAN YOU GUYS HELP ME SQUASH THIS BUG (24.93.41.146) PLEASE...

I JUST WANT TO LEARN LINUX AND START A WEB SERVER

AND THIS GUY IS CAUSING ME ALOT OF PROBEMS AND MY ISP WON'T

DO ANYTHING ABOUT IT...

Last edited by kaz4u2dig; 02-17-2004 at 01:53 PM.
 
Old 02-17-2004, 02:30 PM   #2
Soulful93
Member
 
Registered: Dec 2003
Location: Denver, CO
Distribution: SuSE 9.2 Slackware 10.1
Posts: 137

Rep: Reputation: 15
If you have his isp information just notify them, and send them all the information you have.
 
Old 02-17-2004, 02:30 PM   #3
Booster
Member
 
Registered: Sep 2003
Location: Ontario, Canada
Distribution: Gentoo, Suse
Posts: 59

Rep: Reputation: 15
Not really an answer here (I only have a minute ).....but, it might be a good idea to post your router's forwarding rules here - I'm sure if you do that someone will quickly offer a suggestion to help secure it.
 
Old 02-17-2004, 02:43 PM   #4
benjithegreat98
Senior Member
 
Registered: Dec 2003
Location: Shelbyville, TN, USA
Distribution: Fedora Core, CentOS
Posts: 1,019

Rep: Reputation: 45
Would it be possible for you to set a rule in your belkin router to just deny or drop any traffic orginating from that IP address?
 
Old 02-17-2004, 02:46 PM   #5
t3___
Member
 
Registered: Sep 2003
Posts: 240

Rep: Reputation: 30
edited - lame oversight on my part...

Last edited by t3___; 02-17-2004 at 05:59 PM.
 
Old 02-17-2004, 05:13 PM   #6
bnice
Member
 
Registered: Feb 2004
Location: Sacramento, CA
Distribution: Slack 9.1, slackware-current
Posts: 284

Rep: Reputation: 30
That *IS* your isp...

dhcp server to be exact.
 
Old 02-17-2004, 05:17 PM   #7
t3___
Member
 
Registered: Sep 2003
Posts: 240

Rep: Reputation: 30
edited - lame oversight on my part...

Last edited by t3___; 02-17-2004 at 05:59 PM.
 
Old 02-17-2004, 05:46 PM   #8
bnice
Member
 
Registered: Feb 2004
Location: Sacramento, CA
Distribution: Slack 9.1, slackware-current
Posts: 284

Rep: Reputation: 30
Quote:
Originally posted by t3___
??? that is what the ip address he posted resolved to???

Router logs tend to scare people...

TCP/IP ain't voodoo...


Quote:
DHCP Client : Send Discover
looking for server

Quote:
DHCP Client : Receive Offer from 24.93.41.146
DHCP server offering services

Quote:
DHCP Client : Send Request, Request IP = XX.XX.XX.XX
router's DHCP client asking for address

Quote:
DHCP Client : Receive Ack from 24.93.41.146, Lease time = 85753
DHCP server acknowledges request, (ACK=acknowledge) assigns (address) lease for 85753 seconds
 
Old 02-17-2004, 05:50 PM   #9
Rick485
Member
 
Registered: Sep 2003
Location: Arizona
Distribution: Kubuntu 8.04
Posts: 202

Rep: Reputation: 30
I do not know much about denial of service attacks but here a few thoughts. I am not sure what type of routers you Internet provider uses but their routers most likely have built in firewalls. I recently took a class on using Cisco routers. In one assignment we had to create an access control list that would tell a Cisco router to block a specific IP address from accessing another specific IP address. Perhaps you could call your Internet provider and ask them to block that specific IP address from reaching your IP address. If they use extended access lists they would most likely do it on a border router that sits between them and the rest of the Internet. They could modify their access control list to block either the incoming or out outgoing packets for that IP address or both. If they use some other brand of routers they could still probably do something similar.

I also used the command whois 24.93.41.146 which is probably what you used to get more information on that IP address. Did you notice that the whois command give an email address, an telephone number and a mailing address for the company that owns that range of IP addresses. You could try contacting them about your problem. I also tried using dig 24.93.41.146.

My knowledge of computer security is still somewhat limited. I hope to learn more about that someday. I have never used DHCP assigned IP address much becuase we mostly just used static IP addresses in the class. I have a dial-up connection and have never used a router at home. In Linux you are most likely using an iptables firewall. I have not played with it much but it also has the ability to block a specific incoming IP address. It can even be fine tuned to allow or deny the use of specific incoming or outgoing ports for specific IP addresses.

Just to be safe I would also hope that you have installed all the latest security patches for both Linux and Windows. At the moment, with Red Hat 9.I can still just click an icon on the taskbar to download the latest security patches and updates. That probably would not help with a DOS attack but is a precation that should be done anyway. I should also add that I do not know enough about using DHCP to know if you have identified you basic problem correctly or not. I will just assume that what you said is correct. One other question is, does the DHCP server assign you different IP addresses at different times? If it sometimes gives you a different IP address how does he still find you?

One other idea that might or might not help anything it to put this in the hosts table in both Linux and Windows:

127.0.0.1 24.93.41.14

If your computer tries to answer him the answer will be sent to your loopback address instead of his IP address. In both Windows and Linux I have a long list of advertising related IP address that I block block in that manner. This hosts file is located int the /etc directory. However, I do not know enough to know if you computer is trying to answer him or not.
 
Old 02-17-2004, 05:56 PM   #10
Rick485
Member
 
Registered: Sep 2003
Location: Arizona
Distribution: Kubuntu 8.04
Posts: 202

Rep: Reputation: 30
Actually, as I think futher are you sure that 24.93.41.14 is not the IP address of your DHCP server. As I mentioned, I do not know much about DHCP. What bnice said reminded me that it sounds like you are describing the normal process and negotiating the temporary use of a DHCP assigned IP address. Are you sure that you really have a denail of service attack. Perhaps not.
 
Old 02-17-2004, 07:03 PM   #11
Electro
LQ Guru
 
Registered: Jan 2002
Posts: 6,042

Rep: Reputation: Disabled
Assuming DMV as DMZ. Turning on DMZ in a router to send all packets to a certain computer that has a specific IP address. This is very, very risky. You have to setup a firewall (port filter or packet filter) to secure your web server. You may want to search the internet on how to make LINUX more secured and what kind of attacks are there.

DHCP is used if you have several hundred computers on your network. It will take a long time to assign IP addresses to each computer manually. A DHCP server does the hard work giving an IP address to the computer if they ask for one. You can setup permanent (static) IP address but pick an IP address that is not used. In a DHCP server you can specify the range of IP addresses that it assigns. The rest is for you to use for something else like a computer that has static IP address.

The HOSTS file is used when you are visiting sites not the other way around. The hosts.allow and hosts.deny is where you put the address to block them coming in. Though xinetd is used on many latest LINUX distributions that can block certain IP address or all of them if you really, really paranoid.

After you got the firewall setup and running, go to http://www.nessus.org/ and test your firewall configuration. It will do some real attacks to see if your server can stand up to them.

Go to ipchicken.com if you want to find out your IP address for your internet connection. You can parse the page if your connection is a dynamic internet connection. Many are dynamic for security purposes.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Hello friends hemagiri LinuxQuestions.org Member Intro 3 12-31-2004 09:21 PM
hello friends palletooru Linux - Software 2 11-05-2004 08:06 AM
Hello there Friends!! FearPasion710 LinuxQuestions.org Member Success Stories 1 10-05-2003 10:37 AM
Hi Friends sagarwal LinuxQuestions.org Member Intro 1 05-28-2003 02:52 AM
Not likely to win friends... davecs Linux - General 6 03-06-2003 04:40 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 08:26 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration