Very Computer

>  I checked my log files and Portsentry mail and see lots of DENY stuff.

>  I then fired up ethereal and start capturing. I see page after page of
>  messages such as:

>  Who has 24.177.63.127 Tell 65.112.55.123

>  The numbers are not accurate (I can post them if needed), but the messages
>  are all the same with differing IP numbers on both sides.

>  What does this mean? I called my broadband provider and they said they had
>  no idea.

> I checked my log files and Portsentry mail and see lots of DENY stuff.

> I then fired up ethereal and start capturing. I see page after page of
> messages such as:

> Who has 24.177.63.127 Tell 65.112.55.123

> The numbers are not accurate (I can post them if needed), but the messages
> are all the same with differing IP numbers on both sides.

> What does this mean? I called my broadband provider and they said they had
> no idea.

> Has my system been hacked?

> Thanks,
> Paul Nixon

> I checked my log files and Portsentry mail and see lots of DENY stuff.

> I then fired up ethereal and start capturing. I see page after page of
> messages such as:

> Who has 24.177.63.127 Tell 65.112.55.123

> The numbers are not accurate (I can post them if needed), but the messages
> are all the same with differing IP numbers on both sides.

> What does this mean? I called my broadband provider and they said they had
> no idea.

> Has my system been hacked?

> Thanks,
> Paul Nixon

> > This morning I noticed the activity LED on my cable modem has been going
> > nuts with loads of network traffic. I'm just sitting there not doing
> > anything. I'm using a Mandrake 7.2 box with IPCHAINS and Portsentry.

> > I checked my log files and Portsentry mail and see lots of DENY stuff.

> > I then fired up ethereal and start capturing. I see page after page of
> > messages such as:

> > Who has 24.177.63.127 Tell 65.112.55.123

> > The numbers are not accurate (I can post them if needed), but the
messages
> > are all the same with differing IP numbers on both sides.

> > What does this mean? I called my broadband provider and they said they
had
> > no idea.

> > Has my system been hacked?

> > Thanks,
> > Paul Nixon

> paul, if you have ethereal, then you can look for arp replies comming from
> your computer to another one that is NOT your athome gateway.

> To check for spoofed packets : The source would be set to your computer,
> and the target would be a broadcast address ( or not) . Those looking in
> their logs would see you as the origin ( well, that's what was in th
> packets ) , and start asking you why you're blasting them at several mb/s.

> What I was hoping to find a arp-who is query from the attacker to you or
to
> some other computer. If you see a lot of arp's and the MAC asking for them
> is constant, but the IP's are changing in a pattern, it could be someone
> doing a scan.

> If this is still continuing, you could call up the help desk and tell them
> what's happening, and that you can't get to web sites or something.
> And perhaps you could convince them to find out who is up to this
> nonsense...

> I've been in contact with Cox and they were no help. I did, however, see
> another thread from someone experiencing the exact same symptom to which
> you gave some good info. Unfortunately, my network knowledge is
> "dangerous" in that I know some of the basics but not enough to really pin
> things down.

> I do very much appreciate your quick response (I wanted to mention that
> before I forgot).

> The activity is unusual from my perspective mainly because I monitor the
> activity light from time to time as I've heard this to be an indication
> things are not as they should be. Usually the activity light only comes on
> when I am active or the odd flicker from time to time. At present it looks
> like I'm engaged in a major download of somesort (glad I downloaded my new
> Linux distros yesterday!).

> I've looked at the Ethereal output and don't see anything other than the
> Who is such and such? Tell so and so. Unfortunately, there is probably a
> wealth of information that I don't quite know how to interpret. In the
> other thread I suggested you use nmap on my system to see what you come up
> with.

> There are two things I'm most concerned about:
> 1) Someone has hacked into my computer and is free to do malicious things
> on my internal network.
> 2) Someone has hacked into my computer and is using it as a platform to
> launch DOS attacks againsts others.

> I think (hope) what's happening is that there is a DOS attack going on at
> present but is not targeted at nor sourced with me.

> All the best,
> Paul

>> > This morning I noticed the activity LED on my cable modem has been
>> > going nuts with loads of network traffic. I'm just sitting there not
>> > doing anything. I'm using a Mandrake 7.2 box with IPCHAINS and
>> > Portsentry.

>> > I checked my log files and Portsentry mail and see lots of DENY stuff.

>> > I then fired up ethereal and start capturing. I see page after page of
>> > messages such as:

>> > Who has 24.177.63.127 Tell 65.112.55.123

>> > The numbers are not accurate (I can post them if needed), but the
> messages
>> > are all the same with differing IP numbers on both sides.

>> > What does this mean? I called my broadband provider and they said they
> had
>> > no idea.

>> > Has my system been hacked?

>> > Thanks,
>> > Paul Nixon

>> paul, if you have ethereal, then you can look for arp replies comming
>> from your computer to another one that is NOT your athome gateway.

>> To check for spoofed packets : The source would be set to your computer,
>> and the target would be a broadcast address ( or not) . Those looking in
>> their logs would see you as the origin ( well, that's what was in th
>> packets ) , and start asking you why you're blasting them at several
>> mb/s.

>> What I was hoping to find a arp-who is query from the attacker to you or
> to
>> some other computer. If you see a lot of arp's and the MAC asking for
>> them is constant, but the IP's are changing in a pattern, it could be
>> someone doing a scan.

>> If this is still continuing, you could call up the help desk and tell
>> them what's happening, and that you can't get to web sites or something.
>> And perhaps you could convince them to find out who is up to this
>> nonsense...

>> This morning I noticed the activity LED on my cable modem has been going
>> nuts with loads of network traffic. I'm just sitting there not doing
>> anything. I'm using a Mandrake 7.2 box with IPCHAINS and Portsentry.

>> I checked my log files and Portsentry mail and see lots of DENY stuff.

>> I then fired up ethereal and start capturing. I see page after page of
>> messages such as:

>> Who has 24.177.63.127 Tell 65.112.55.123

>> The numbers are not accurate (I can post them if needed), but the
>> messages are all the same with differing IP numbers on both sides.

>> What does this mean? I called my broadband provider and they said they
>> had no idea.

>> Has my system been hacked?

>> Thanks,
>> Paul Nixon

> Those are Address Resolution Protocol broadcasts. Picking up these is
> normal. You should not be picking up any arp *replies*  though -
> "xx.xx.xx.xx  IS AT 0a:00:00:55:aa:31" that are directed at other
> computers. . If you do get something like this, then only two things
> should be visible to you:

> 1. Your computer being told where your gateway is, and
> 2.  you computer replying to the gateway where *it* is.

> There was a recent post from sungod about a similar incident on his side.
> That activity misteriously stopped about 12 hours ago.

> later.

> change the NIC without problems.  As a consequence, I see all arp
> traffic (including replies) on my segment.