My network knowledge is at the proverbial "just the tip of the iceberg"
level. Perhaps the tech at the level you contacted can only handle simple
things like where to put the name of the news server in outlook express,
etc.. You would have to go a bit higher up to take care of this kind of
Most ip spoofing tools do just that - ip level spoofing. As such they would
not descend into the ethernet layer and fiddle with that so there is a
chance that you could find the ethernet card of the attacker.
As I told sungod, it could very well be a backorifice client on a windows
computer just playing around. Did you get any multicast ?
As many would tell you there is no defence against spoofed attacks on a
LAN. But if it goes through a router to get to you, the router could be set
to drop packets that shouldn't be on the interface. Assuming ofcourse that
the isp has enough brains to do so.
> Hi Joseph,
> I've been in contact with Cox and they were no help. I did, however, see
> another thread from someone experiencing the exact same symptom to which
> you gave some good info. Unfortunately, my network knowledge is
> "dangerous" in that I know some of the basics but not enough to really pin
> things down.
> I do very much appreciate your quick response (I wanted to mention that
> before I forgot).
> The activity is unusual from my perspective mainly because I monitor the
> activity light from time to time as I've heard this to be an indication
> things are not as they should be. Usually the activity light only comes on
> when I am active or the odd flicker from time to time. At present it looks
> like I'm engaged in a major download of somesort (glad I downloaded my new
> Linux distros yesterday!).
> I've looked at the Ethereal output and don't see anything other than the
> Who is such and such? Tell so and so. Unfortunately, there is probably a
> wealth of information that I don't quite know how to interpret. In the
> other thread I suggested you use nmap on my system to see what you come up
> There are two things I'm most concerned about:
> 1) Someone has hacked into my computer and is free to do malicious things
> on my internal network.
> 2) Someone has hacked into my computer and is using it as a platform to
> launch DOS attacks againsts others.
> I think (hope) what's happening is that there is a DOS attack going on at
> present but is not targeted at nor sourced with me.
> All the best,
>> > This morning I noticed the activity LED on my cable modem has been
>> > going nuts with loads of network traffic. I'm just sitting there not
>> > doing anything. I'm using a Mandrake 7.2 box with IPCHAINS and
>> > Portsentry.
>> > I checked my log files and Portsentry mail and see lots of DENY stuff.
>> > I then fired up ethereal and start capturing. I see page after page of
>> > messages such as:
>> > Who has 220.127.116.11 Tell 18.104.22.168
>> > The numbers are not accurate (I can post them if needed), but the
>> > are all the same with differing IP numbers on both sides.
>> > What does this mean? I called my broadband provider and they said they
>> > no idea.
>> > Has my system been hacked?
>> > Thanks,
>> > Paul Nixon
>> paul, if you have ethereal, then you can look for arp replies comming
>> from your computer to another one that is NOT your athome gateway.
>> To check for spoofed packets : The source would be set to your computer,
>> and the target would be a broadcast address ( or not) . Those looking in
>> their logs would see you as the origin ( well, that's what was in th
>> packets ) , and start asking you why you're blasting them at several
>> What I was hoping to find a arp-who is query from the attacker to you or
>> some other computer. If you see a lot of arp's and the MAC asking for
>> them is constant, but the IP's are changing in a pattern, it could be
>> someone doing a scan.
>> If this is still continuing, you could call up the help desk and tell
>> them what's happening, and that you can't get to web sites or something.
>> And perhaps you could convince them to find out who is up to this
587 (submission) is reported as open.
You should have an input deny log, for an ip ending in .136 That's me of
my computers nmapping you.