Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
04-05-2007, 06:54 PM
|
#1
|
LQ Newbie
Registered: Jul 2003
Location: Michigan
Posts: 21
Rep:
|
My box is spamming my router
hey guys, I have a bad feeling I've been hacked.
This afternoon, I suddenly lost internet access. I wasn't thinking much of it, just rebooted the Cable modem and the router, and expected all to be good. Didn't happen.
I then noticed that the eth0 section in gkrellm was maxed out on my webserver. I ran TOP and saw ntpd was using up a good chunk of the cpu, so I stopped the service. Network traffic didn't change though. So I fired up ethereal and it was flooded with packets. I'm getting tons and tons of these:
Netgear_01:92:33 Brodcast XID Basic Format; Type 1 LLC (Class I LLC); window size 0
LinksysG_cc:57:a8 broadcast ARP Who has 192.168.1.100? Tell 192.168.1.1
The router is a linksys wireless router, and I'm running the standard 192.168.1.0 network.
Any time I enable the interface or plug it back into the router, it starts this packet flooding.
I checked out messages and secure, both are 0 bytes..
Any ideas what I can do to try to get my box back to normal (without starting over?)
I'm running Fedora 4.
Thanks!
Jake
|
|
|
04-05-2007, 07:00 PM
|
#2
|
LQ Newbie
Registered: Jul 2003
Location: Michigan
Posts: 21
Original Poster
Rep:
|
I just tried going to google while capturing packets, and it seems to take every packet and "multiply" it thousands of times. It did a DNS request to find google, and I get thousands of these:
68.87.77.130 192.168.1.97 DNS Standard query responce CNAME www.l.google.com
68.87.77.130 is the DNS server comcast is giving me.
Don't know if this helps.
|
|
|
04-06-2007, 12:04 AM
|
#3
|
Senior Member
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658
Rep:
|
Arp traffic is normal to some degree. On some cable networks it can be an issue if your modem doesn't filter traffic from other hosts on your subnet. First question is are any of those IPs yours? Who is 192.168.1.0, 192.168.1.1, 192.168.1.100, 192.168.1.97?
Second note that when capturing packets, make sure that name resolution is off otherwise for every packet your own system will try to query the name server for each IP (for tcpdump use -n).
|
|
|
04-06-2007, 12:24 PM
|
#4
|
LQ Newbie
Registered: Jul 2003
Location: Michigan
Posts: 21
Original Poster
Rep:
|
Thanks very much for the reply.
After much suffering, it turns out to be a bad port on the switch. Seems to be good now.
Still strange on why the secure and messages logs were emtpy, but things seem normal at the moment.
Really appreciate the response!
|
|
|
All times are GMT -5. The time now is 07:35 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|