Hi,
I am running a Debian server - Kernel 2.4. I have currently installed nTop(a network sniffer), and I now see that people are connecting to port 0. Here is a flag/warning from nTop that goes along with this port 0 connection, please read:

"High risk - problems which are rarely benign
Duplicated MAC

ntop will report this problem for hosts where a single MAC address (layer 2) is found on packets from several IP (layer 3) addresses. There are a number of possible causes:

* The host legitimately has multiple IPs assigned.
* dhcp + sticky-hosts - If ntop is being run with the stick-hosts option and dhcp addressing is being used, it's possible for a host to receive address a.b.c.d, and then disconnect from the network. If that address is reassigned to another host, then when the first host reconnects to the network it will receive a differnent IP address. If the stick-hosts is not enabled, it's very likely that the first user of a.b.c.d would be purged as inactive before the dhcp lease is reassigned. This is BENIGN.
* MAC spoofing - where a device deliberately changes it's MAC address to 'spoof' another device. Many home users do this, where their router spoof's the address of the network card so that their upstread Cable or DSL provider doesn't seen the change when you install a router. But bad guys also do this to bypass MAC level filters.
* Some hardware - notably Sun - use the same MAC address for all of the NICs attached to the host. If ntop is monitoring these multiple segments, it will see 'spoofed' packets.
* Someone is sending spoofed packets. This is probably hostile.

It's not normal unless you're using Sun servers, so check it out!

Flag/Counter: HOST_DUPLICATED_MAC

Port Zero Traffic

ntop will report this problem for those hosts that produced traffic on ports where we should see no traffic (e.g. port zero). Port 0 is a reserved port in tcp/ip networking, (see IANA) so that it should not be used by the tcp or udp protocols. It's not normal and has been used in hostile attempts to map networks (as many devices do not block it, even if the device blocks everything else), so check it out!

Flag/Counter: HOST_IP_ZERO_PORT_TRAFFIC"


I am getting many different people that are triggering this warning, but never at the same time, hmmm...

I really do believe I am compromised because my upload is almost always crap now, and for a test I pluged in my cable modem to my Win box and the upload was up around 40K, exactly where it should be.

I have currently updated my debian server with apt-get but I believe I was already compromised before the updated - when I did update, all of my network problems where solved for 24 hours and then it all came back.

What to do?

Do you have any other hosts on your network that you can use to sniff traffic? If not, then use ethereal and try to capture some packets and look for traffic with the duplicated MAC addresses. Also run "netstat -pantu" or "lsof -i" and see if you can observe any strange connections.

WRT being compromised, a good place to start would be to install and run a scan with chkrootkit or rkhunter. Also check the /etc/passwd file for any new users or users other than root with a UID of 0. Take a look around the files system, especially in /tmp for any strange files or folders (especially things like "..."). Go through all the system logs and look for any error messages, especially things like application or kernel panics. Look for any SUID and SGID root files with:
find / -t f -perm 4000 -print
find / -t f -perm 2000 -print

If you have a file alteration scanner like tripwire installed on the system, then now would be a good time to run a check.