[ale] Linux Box is Garbage Spewer please help!

Mel Burslan mel.burslan at s1.com
Wed Jun 20 12:01:43 EDT 2001


You may have been victimized by a DDoS attacker. I don't know the about
the bots under Linux platform but they can be quite mighty to bomb
targets with garbage while keeping their tracks well hidden from the
DDoS'ed victim. But your ISP, (thanks to people like those) can and is
tracking output of your machine to tell garbage packets coming out of
your particular system(s).

Since I do not know the exact port numbers exploited under Linux, all I
can say is to investigate such a possibility by making a google search
on "DDoS Linux exploit port" and close derivatives of these words that
you can relate, find the port numbers and do 

netstat -a | grep <port#>

to see if this is the case. A good starting point may be 

http://www.grc.com

run by Steve Gibson, a security expert who got DDoS'ed early in May of
this year. Read a couple of Loooong articles linked from this page, url
of which is given above.

If it is not the case, you need to find a way to configure one of your
systems' one of the network cards into promiscuous mode and run a
sniffer-like software to figure out what kind of garbage is coming out
of which system. 

I know all I have said is too wide and sounded vague, but I personally
do not have any personal brush with such a situation so far. Hope it
helps...

Mel.

djinn wrote:
> 
> Greetings
> 
> My ISP just waved a paper in my face proclaiming that one of two boxen
> that I run, both Linux, is spewing forth garbage...but he doesn't know
> which one.  Our outbound traffic went thru the roof last night, while
> inbound is its normal, sedate, tiny self.
> 
> Now, I certainly don't have anything set up to spew garbage, and I
> *think* all is well with my boxen...they're not acting peculiar and I
> know them pretty well.  Can anyone give me any diagnostic pointers in
> this case?  I'm not very knowledgable about what happens once a packet
> leave my box, so I'm having a hard time trying to figure out what to
> diagnose here or even how to diagnose it.
> 
> While I await help, I'm going to run a clean lsof and my usual "have we
> been cracked" checksums and diagnostics...but should those fail to tell
> me anything...what do you guys suggest?
> 
> Please help??
> 
> TIA
> jenn
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list