LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-05-2007, 06:54 PM   #1
inspleak
LQ Newbie
 
Registered: Jul 2003
Location: Michigan
Posts: 21

Rep: Reputation: 15
My box is spamming my router


hey guys, I have a bad feeling I've been hacked.

This afternoon, I suddenly lost internet access. I wasn't thinking much of it, just rebooted the Cable modem and the router, and expected all to be good. Didn't happen.

I then noticed that the eth0 section in gkrellm was maxed out on my webserver. I ran TOP and saw ntpd was using up a good chunk of the cpu, so I stopped the service. Network traffic didn't change though. So I fired up ethereal and it was flooded with packets. I'm getting tons and tons of these:

Netgear_01:92:33 Brodcast XID Basic Format; Type 1 LLC (Class I LLC); window size 0
LinksysG_cc:57:a8 broadcast ARP Who has 192.168.1.100? Tell 192.168.1.1

The router is a linksys wireless router, and I'm running the standard 192.168.1.0 network.

Any time I enable the interface or plug it back into the router, it starts this packet flooding.

I checked out messages and secure, both are 0 bytes..

Any ideas what I can do to try to get my box back to normal (without starting over?)

I'm running Fedora 4.

Thanks!
Jake
 
Old 04-05-2007, 07:00 PM   #2
inspleak
LQ Newbie
 
Registered: Jul 2003
Location: Michigan
Posts: 21

Original Poster
Rep: Reputation: 15
I just tried going to google while capturing packets, and it seems to take every packet and "multiply" it thousands of times. It did a DNS request to find google, and I get thousands of these:

68.87.77.130 192.168.1.97 DNS Standard query responce CNAME www.l.google.com

68.87.77.130 is the DNS server comcast is giving me.

Don't know if this helps.
 
Old 04-06-2007, 12:04 AM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Arp traffic is normal to some degree. On some cable networks it can be an issue if your modem doesn't filter traffic from other hosts on your subnet. First question is are any of those IPs yours? Who is 192.168.1.0, 192.168.1.1, 192.168.1.100, 192.168.1.97?

Second note that when capturing packets, make sure that name resolution is off otherwise for every packet your own system will try to query the name server for each IP (for tcpdump use -n).
 
Old 04-06-2007, 12:24 PM   #4
inspleak
LQ Newbie
 
Registered: Jul 2003
Location: Michigan
Posts: 21

Original Poster
Rep: Reputation: 15
Thanks very much for the reply.

After much suffering, it turns out to be a bad port on the switch. Seems to be good now.
Still strange on why the secure and messages logs were emtpy, but things seem normal at the moment.

Really appreciate the response!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
linux box as router cambie Linux - Networking 10 11-16-2004 01:20 AM
Getting Rid of My Router-In-A-Box gauge73 Linux - Networking 1 12-11-2003 08:47 PM
Can ping box to box thru router - good sign? toastermaker Linux - Networking 15 12-07-2003 01:00 AM
Fwall/Router Network Appliance vs. stock mdk9 Fwall/Router box jqpdev Linux - Networking 2 02-28-2003 08:19 AM
Linux box as router Kapone Linux - Networking 5 07-04-2001 07:50 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:35 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration