Greetings!

I'm running a RedHat DNS server and believe I've been attacked! When it's plugged in, my network segment utilization jumps to almost 100% and I get tons of protocols that aren't running on the server appearing on the segment (There are protocols that I dind't even know about: CALLBOOK? CSP2? CSP3? ICHAT? TIMBUCKTU? SYBASE-SQLANYWHERE?). Also I can attribute over 50% of this crap to 1 IP address out of China. I'm not a Linux person and I inherited this problem. Can someone help figure out what's going on? I'm thinking that I could drop that IP in an ACL somehow, but I suspect there's some nasty program running on the server or it's being used as some sort of relay...

Thanks
chereth@tcsweb.com

Moved: This thread is more suitable in Linux-Security and has been moved accordingly to help your thread/question get the exposure it deserves.

I'm not a Linux person and I inherited this problem.
Do you want to become a Linux admin? Are there any Linux admins in the company? Does "inherited" convey you don't feel like you're the problem owner? If so, and if there are no Linux admins around, wouldn't bringing in a temporary Linux admin be a more professional solution?


I'm running a RedHat DNS server
Which release? Was it regularly updated? Was it hardened?
Is it a master or a slave? Does it run other services besides DNS?


and believe I've been attacked!
Log excerpts please.


Also I can attribute over 50% of this crap to 1 IP address out of China.
Then block the IP and check adjacent boxen for same IP/range traffic.


I suspect there's some nasty program running on the server or it's being used as some sort of relay...
What gives you that idea? Can you verify there are no unwanted accounts on the box?
Have you checked the logs? Can you verify the state of the system against RPM's from install CDR's or mirror?
Did you run Chkrootkit or Rkhunter on the box?


*If you want to post logs that are too big, post a D/L location instead.