question: Who is xxx.xxx.xxx.xxx tell xxx.yyy.yyy.zzz

question: Who is xxx.xxx.xxx.xxx tell xxx.yyy.yyy.zzz

Post by Paul Nixo » Mon, 06 Aug 2001 06:14:30



This morning I noticed the activity LED on my cable modem has been going
nuts with loads of network traffic. I'm just sitting there not doing
anything. I'm using a Mandrake 7.2 box with IPCHAINS and Portsentry.

I checked my log files and Portsentry mail and see lots of DENY stuff.

I then fired up ethereal and start capturing. I see page after page of
messages such as:

Who has 24.177.63.127 Tell 65.112.55.123

The numbers are not accurate (I can post them if needed), but the messages
are all the same with differing IP numbers on both sides.

What does this mean? I called my broadband provider and they said they had
no idea.

Has my system been hacked?

Thanks,
Paul Nixon

 
 
 

question: Who is xxx.xxx.xxx.xxx tell xxx.yyy.yyy.zzz

Post by Rudolf Polz » Mon, 06 Aug 2001 06:22:15



>  This morning I noticed the activity LED on my cable modem has been going
>  nuts with loads of network traffic. I'm just sitting there not doing
>  anything. I'm using a Mandrake 7.2 box with IPCHAINS and Portsentry.

>  I checked my log files and Portsentry mail and see lots of DENY stuff.

>  I then fired up ethereal and start capturing. I see page after page of
>  messages such as:

>  Who has 24.177.63.127 Tell 65.112.55.123

>  The numbers are not accurate (I can post them if needed), but the messages
>  are all the same with differing IP numbers on both sides.

>  What does this mean? I called my broadband provider and they said they had
>  no idea.

This is relatively normal. Is one of the IPs yours? If not,
your ISP has got wrong routing tables (or everyone in
your street gets the same traffic and the Who-has IP
is from one of your neighbors).

This is only the ARP protocol - before transmitting data
over ethernet, a computer sends an ARP broadcast on the
network cable to find out the other side's MAC. Computers
seem to be internally addressed by the MAC - do not ask
me why.

--
The Day Microsoft makes something that does not suck is probably
the day they start making vacuum cleaners.

 
 
 

question: Who is xxx.xxx.xxx.xxx tell xxx.yyy.yyy.zzz

Post by Josep » Mon, 06 Aug 2001 06:33:03



> This morning I noticed the activity LED on my cable modem has been going
> nuts with loads of network traffic. I'm just sitting there not doing
> anything. I'm using a Mandrake 7.2 box with IPCHAINS and Portsentry.

> I checked my log files and Portsentry mail and see lots of DENY stuff.

> I then fired up ethereal and start capturing. I see page after page of
> messages such as:

> Who has 24.177.63.127 Tell 65.112.55.123

> The numbers are not accurate (I can post them if needed), but the messages
> are all the same with differing IP numbers on both sides.

> What does this mean? I called my broadband provider and they said they had
> no idea.

> Has my system been hacked?

> Thanks,
> Paul Nixon

Those are Address Resolution Protocol broadcasts. Picking up these is
normal. You should not be picking up any arp *replies*  though -
"xx.xx.xx.xx  IS AT 0a:00:00:55:aa:31" that are directed at other
computers. . If you do get something like this, then only two things should
be visible to you:

1. Your computer being told where your gateway is, and
2.  you computer replying to the gateway where *it* is.

There was a recent post from sungod about a similar incident on his side.
That activity misteriously stopped about 12 hours ago.

later.

 
 
 

question: Who is xxx.xxx.xxx.xxx tell xxx.yyy.yyy.zzz

Post by Josep » Mon, 06 Aug 2001 07:58:56



> This morning I noticed the activity LED on my cable modem has been going
> nuts with loads of network traffic. I'm just sitting there not doing
> anything. I'm using a Mandrake 7.2 box with IPCHAINS and Portsentry.

> I checked my log files and Portsentry mail and see lots of DENY stuff.

> I then fired up ethereal and start capturing. I see page after page of
> messages such as:

> Who has 24.177.63.127 Tell 65.112.55.123

> The numbers are not accurate (I can post them if needed), but the messages
> are all the same with differing IP numbers on both sides.

> What does this mean? I called my broadband provider and they said they had
> no idea.

> Has my system been hacked?

> Thanks,
> Paul Nixon

paul, if you have ethereal, then you can look for arp replies comming from
your computer to another one that is NOT your athome gateway.  

To check for spoofed packets : The source would be set to your computer,
and the target would be a broadcast address ( or not) . Those looking in
their logs would see you as the origin ( well, that's what was in th
packets ) , and start asking you why you're blasting them at several mb/s.

What I was hoping to find a arp-who is query from the attacker to you or to
some other computer. If you see a lot of arp's and the MAC asking for them
is constant, but the IP's are changing in a pattern, it could be someone
doing a scan.

If this is still continuing, you could call up the help desk and tell them
what's happening, and that you can't get to web sites or something.
And perhaps you could convince them to find out who is up to this
nonsense...

 
 
 

question: Who is xxx.xxx.xxx.xxx tell xxx.yyy.yyy.zzz

Post by Paul Nixo » Mon, 06 Aug 2001 09:01:21


Hi Joseph,

I've been in contact with Cox and they were no help. I did, however, see
another thread from someone experiencing the exact same symptom to which you
gave some good info. Unfortunately, my network knowledge is "dangerous" in
that I know some of the basics but not enough to really pin things down.

I do very much appreciate your quick response (I wanted to mention that
before I forgot).

The activity is unusual from my perspective mainly because I monitor the
activity light from time to time as I've heard this to be an indication
things are not as they should be. Usually the activity light only comes on
when I am active or the odd flicker from time to time. At present it looks
like I'm engaged in a major download of somesort (glad I downloaded my new
Linux distros yesterday!).

I've looked at the Ethereal output and don't see anything other than the Who
is such and such? Tell so and so. Unfortunately, there is probably a wealth
of information that I don't quite know how to interpret. In the other thread
I suggested you use nmap on my system to see what you come up with.

There are two things I'm most concerned about:
1) Someone has hacked into my computer and is free to do malicious things on
my internal network.
2) Someone has hacked into my computer and is using it as a platform to
launch DOS attacks againsts others.

I think (hope) what's happening is that there is a DOS attack going on at
present but is not targeted at nor sourced with me.

All the best,
Paul



> > This morning I noticed the activity LED on my cable modem has been going
> > nuts with loads of network traffic. I'm just sitting there not doing
> > anything. I'm using a Mandrake 7.2 box with IPCHAINS and Portsentry.

> > I checked my log files and Portsentry mail and see lots of DENY stuff.

> > I then fired up ethereal and start capturing. I see page after page of
> > messages such as:

> > Who has 24.177.63.127 Tell 65.112.55.123

> > The numbers are not accurate (I can post them if needed), but the
messages
> > are all the same with differing IP numbers on both sides.

> > What does this mean? I called my broadband provider and they said they
had
> > no idea.

> > Has my system been hacked?

> > Thanks,
> > Paul Nixon

> paul, if you have ethereal, then you can look for arp replies comming from
> your computer to another one that is NOT your athome gateway.

> To check for spoofed packets : The source would be set to your computer,
> and the target would be a broadcast address ( or not) . Those looking in
> their logs would see you as the origin ( well, that's what was in th
> packets ) , and start asking you why you're blasting them at several mb/s.

> What I was hoping to find a arp-who is query from the attacker to you or
to
> some other computer. If you see a lot of arp's and the MAC asking for them
> is constant, but the IP's are changing in a pattern, it could be someone
> doing a scan.

> If this is still continuing, you could call up the help desk and tell them
> what's happening, and that you can't get to web sites or something.
> And perhaps you could convince them to find out who is up to this
> nonsense...

 
 
 

question: Who is xxx.xxx.xxx.xxx tell xxx.yyy.yyy.zzz

Post by Josep » Mon, 06 Aug 2001 09:06:04


Ok, on the nmap. I will nmap you on the ip 24.177.215.187 , and put the
results as a reply here. Or would you rather them mailed to you web mail
account?
 
 
 

question: Who is xxx.xxx.xxx.xxx tell xxx.yyy.yyy.zzz

Post by Paul Nixo » Mon, 06 Aug 2001 09:08:18


You can email them if that's safer. Remove the _nospam_ from the email
address if it is showing.

Also, the log file indicates I'm getting hit on Port 80 a lot (hmm, I wonder
why?? :-) )

Thanks,

Paul


Quote:> Ok, on the nmap. I will nmap you on the ip 24.177.215.187 , and put the
> results as a reply here. Or would you rather them mailed to you web mail
> account?

 
 
 

question: Who is xxx.xxx.xxx.xxx tell xxx.yyy.yyy.zzz

Post by Josep » Mon, 06 Aug 2001 10:02:33


check mail.

My network knowledge is at the proverbial "just the tip of the iceberg"
level. Perhaps the tech at the level you contacted can only handle simple
things like where to put the name of the news server in outlook express,
etc.. You would have to go a bit higher up to take care of this kind of
problem.

Most ip spoofing tools do just that - ip level spoofing. As such they would
not descend into the ethernet layer and fiddle with that so there is a
chance that you could find the ethernet card of the attacker.

As I told sungod, it could very well be a backorifice client on a windows
computer just playing around. Did you get any multicast ?

As many would tell you there is no defence against spoofed attacks on a
LAN. But if it goes through a router to get to you, the router could be set
to drop packets that shouldn't be on the interface. Assuming ofcourse that
the isp has enough brains to do so.


> Hi Joseph,

> I've been in contact with Cox and they were no help. I did, however, see
> another thread from someone experiencing the exact same symptom to which
> you gave some good info. Unfortunately, my network knowledge is
> "dangerous" in that I know some of the basics but not enough to really pin
> things down.

> I do very much appreciate your quick response (I wanted to mention that
> before I forgot).

> The activity is unusual from my perspective mainly because I monitor the
> activity light from time to time as I've heard this to be an indication
> things are not as they should be. Usually the activity light only comes on
> when I am active or the odd flicker from time to time. At present it looks
> like I'm engaged in a major download of somesort (glad I downloaded my new
> Linux distros yesterday!).

> I've looked at the Ethereal output and don't see anything other than the
> Who is such and such? Tell so and so. Unfortunately, there is probably a
> wealth of information that I don't quite know how to interpret. In the
> other thread I suggested you use nmap on my system to see what you come up
> with.

> There are two things I'm most concerned about:
> 1) Someone has hacked into my computer and is free to do malicious things
> on my internal network.
> 2) Someone has hacked into my computer and is using it as a platform to
> launch DOS attacks againsts others.

> I think (hope) what's happening is that there is a DOS attack going on at
> present but is not targeted at nor sourced with me.

> All the best,
> Paul




>> > This morning I noticed the activity LED on my cable modem has been
>> > going nuts with loads of network traffic. I'm just sitting there not
>> > doing anything. I'm using a Mandrake 7.2 box with IPCHAINS and
>> > Portsentry.

>> > I checked my log files and Portsentry mail and see lots of DENY stuff.

>> > I then fired up ethereal and start capturing. I see page after page of
>> > messages such as:

>> > Who has 24.177.63.127 Tell 65.112.55.123

>> > The numbers are not accurate (I can post them if needed), but the
> messages
>> > are all the same with differing IP numbers on both sides.

>> > What does this mean? I called my broadband provider and they said they
> had
>> > no idea.

>> > Has my system been hacked?

>> > Thanks,
>> > Paul Nixon

>> paul, if you have ethereal, then you can look for arp replies comming
>> from your computer to another one that is NOT your athome gateway.

>> To check for spoofed packets : The source would be set to your computer,
>> and the target would be a broadcast address ( or not) . Those looking in
>> their logs would see you as the origin ( well, that's what was in th
>> packets ) , and start asking you why you're blasting them at several
>> mb/s.

>> What I was hoping to find a arp-who is query from the attacker to you or
> to
>> some other computer. If you see a lot of arp's and the MAC asking for
>> them is constant, but the IP's are changing in a pattern, it could be
>> someone doing a scan.

>> If this is still continuing, you could call up the help desk and tell
>> them what's happening, and that you can't get to web sites or something.
>> And perhaps you could convince them to find out who is up to this
>> nonsense...

587 (submission) is reported as open.
You should have an input deny log, for  an ip ending in .136 That's me of
my computers nmapping you.
 
 
 

question: Who is xxx.xxx.xxx.xxx tell xxx.yyy.yyy.zzz

Post by Thin » Mon, 06 Aug 2001 12:51:56




>> This morning I noticed the activity LED on my cable modem has been going
>> nuts with loads of network traffic. I'm just sitting there not doing
>> anything. I'm using a Mandrake 7.2 box with IPCHAINS and Portsentry.

>> I checked my log files and Portsentry mail and see lots of DENY stuff.

>> I then fired up ethereal and start capturing. I see page after page of
>> messages such as:

>> Who has 24.177.63.127 Tell 65.112.55.123

>> The numbers are not accurate (I can post them if needed), but the
>> messages are all the same with differing IP numbers on both sides.

>> What does this mean? I called my broadband provider and they said they
>> had no idea.

>> Has my system been hacked?

>> Thanks,
>> Paul Nixon

> Those are Address Resolution Protocol broadcasts. Picking up these is
> normal. You should not be picking up any arp *replies*  though -
> "xx.xx.xx.xx  IS AT 0a:00:00:55:aa:31" that are directed at other
> computers. . If you do get something like this, then only two things
> should be visible to you:

> 1. Your computer being told where your gateway is, and
> 2.  you computer replying to the gateway where *it* is.

> There was a recent post from sungod about a similar incident on his side.
> That activity misteriously stopped about 12 hours ago.

> later.

Oh is hasnt stopped I am still getting bombarded with arp queries at last
count it was 54mb a day worth
--
 
 
 

question: Who is xxx.xxx.xxx.xxx tell xxx.yyy.yyy.zzz

Post by Eric Lee Gre » Mon, 06 Aug 2001 16:16:16


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



>Hi Joseph,
>I've been in contact with Cox and they were no help. I did, however, see

The Level 1 people at Cox read off of a script. If you go off script, they
ask you to re-install Windows :-).

Quote:>The activity is unusual from my perspective mainly because I monitor the
>activity light from time to time as I've heard this to be an indication
>things are not as they should be. Usually the activity light only comes on
>when I am active or the odd flicker from time to time. At present it looks
>like I'm engaged in a major download of somesort (glad I downloaded my new
>Linux distros yesterday!).

One thing to note is that Code Red II is making the rounds. At some
points in time I get 5 hits a second from infected NT machines hitting my
system.

The ARP requests that you mention are harmless to your system, but indicate
that the MAC filter in your cable modem is not functioning (it is supposed to
filter out any packets that do not contain your MAC address). This may mean

confused the MAC filters, or something else.

Check your port 80 and see if you're getting hit there.

Quote:>There are two things I'm most concerned about:
>1) Someone has hacked into my computer and is free to do malicious things on
>my internal network.
>2) Someone has hacked into my computer and is using it as a platform to
>launch DOS attacks againsts others.

Time to run your md5 checksum program again to check the current contents
of your hard drive against what it was when you made the floppy with the
sums. That program is, of course:

Quote:>sums

for S in /etc /bin /usr/bin /sbin /usr/sbin
do
  find $S -type f -exec md5sum '{}' \; >>sums
done

Then you can just do a 'diff' against the 'sums' on the floppy.
For the paranoid, you want to do this with a 'find', 'md5sum', and
'diff' program that were placed on the floppy. Call this the poor
man's 'tripwire' :-). rpm -Va can be helpful at times too, but can be
corrupted.

Eric Lee Green         Web: http://www.badtux.org
  GnuPG public key at http://badtux.org/eric/eric.gpg
    Free Dmitry Sklyarov! [ http://www.eff.org ]

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7bO7+3DrrK1kMA04RAtSfAKCpA8Ijn5eWQ08aohWGhof6bEiDywCfTMRZ
OwO+9dvymmpbQmcjO4GOsn4=
=RDkE
-----END PGP SIGNATURE-----

 
 
 

question: Who is xxx.xxx.xxx.xxx tell xxx.yyy.yyy.zzz

Post by Josep » Tue, 07 Aug 2001 05:47:01


<snip>

> The ARP requests that you mention are harmless to your system, but
> indicate that the MAC filter in your cable modem is not functioning (it is
> supposed to filter out any packets that do not contain your MAC address).

> attack that has confused the MAC filters, or something else.

If he were getting the arp *replies*, then the filter on the modem would be
broken.

<snip>

 
 
 

question: Who is xxx.xxx.xxx.xxx tell xxx.yyy.yyy.zzz

Post by Paul Nixo » Tue, 07 Aug 2001 06:23:51


How does one tabulate the ARP requests to get the MB total?

Paul

Quote:> Oh is hasnt stopped I am still getting bombarded with arp queries at last
> count it was 54mb a day worth

 
 
 

question: Who is xxx.xxx.xxx.xxx tell xxx.yyy.yyy.zzz

Post by Manfred Bart » Tue, 07 Aug 2001 06:35:19




> > The ARP requests that you mention are harmless to your system, but
> > indicate that the MAC filter in your cable modem is not
> > functioning (it is supposed to filter out any packets that do not
> > contain your MAC address).  This may mean that somebody has hit

> > the MAC filters, or something else.
> If he were getting the arp *replies*, then the filter on the modem
> would be broken.

Or the MAC filter on the cable modem is deliberately turned off.


change the NIC without problems.  As a consequence, I see all arp
traffic (including replies) on my segment.

--
Manfred
----------------------------------------------------------------
NetfilterLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>

 
 
 

question: Who is xxx.xxx.xxx.xxx tell xxx.yyy.yyy.zzz

Post by Josep » Tue, 07 Aug 2001 08:10:24



> change the NIC without problems.  As a consequence, I see all arp
> traffic (including replies) on my segment.

I was under the impression that the cable modem "trains" on the first MAC
that it sees. If you change the NIC, you would have to turn off the modem.
wait a couple of minutes and then switch it on. Is there anyway a user can
configure it?

Since you can see the arp replies, you would be able to find the source of
any such DoS attacks, hopefully.

 
 
 

question: Who is xxx.xxx.xxx.xxx tell xxx.yyy.yyy.zzz

Post by Manfred Bart » Tue, 07 Aug 2001 09:05:46




> > change the NIC without problems.  As a consequence, I see all arp
> > traffic (including replies) on my segment.
> I was under the impression that the cable modem "trains" on the
> first MAC that it sees. If you change the NIC, you would have to
> turn off the modem.

Not here, not with my Nortel CM100.

Quote:> Since you can see the arp replies, you would be able to find the
> source of any such DoS attacks, hopefully.

Only if they come from my local cable segment.  I do get lots of
packets sent to my port 80 (648 so far in August) but that is not
enough to call it DoS.  Since I don't run anything on that port I have
stopped logging that now, I just keep an eye on the count associated
with the port 80 rule.  Same for port 53.

--
Manfred
----------------------------------------------------------------
NetfilterLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>

 
 
 

1. Arpresolve error: can't allocate llinfo for xxx.xxx.xxx.xxx

Sounds like arplookup can't allocate an ARP entry for this IP address.  I
don't know which version of FreeBSD that you are running or how you
configured the kernel.  Is the router very busy?  Might try recompiling
the kernel with "maxusers" set to 256 and/or increasing the values of
"NBUF" and "NMBCLUSTERS" in the conf file.

Some diagnostics that you might want to post are "vmstat -m", "netstat -m"
"arp -a", "netstat -nr".  Check how big your ARP table is getting and
how many routing table entries the machine is accumulating.


2. dhcp suddenly died

3. These "ICMP redirect from xxx.xxx.xxx.xxx" errors

4. as and ld

5. Installation freezing at "Add default route xxx.xxx.xxx.xxx" with NE2000 card

6. IPX traceroute

7. kernel: ICMP: xxx.xxx.xxx.xxx: Source route failed

8. Colorado T1000i tape

9. Telnet xxx.xxx.xxx.xxx 25

10. Arpresolve error: can't allocate llinfo for xxx.xxx.xxx.xxx

11. Netstat returns IP= xxx.xxx.xxx.xxx.blackjack what's up?

12. ICMP: xxx.xxx.xxx.xxx Source Route Failed ?

13. ICMP redirect from xxx.xxx.xxx.xxx on eth0 ignored