"Burke, Thomas G." wrote:
>
> OK, here's the deal...
>
> Big, and in sections (separated by tildes (~))... As an aside, I have just
> added 165.113.216.6 to my hosts.deny file...
>
> Sections include tcpdump, log files, and a traceroute... I cannot nslookup
> what appears to be
> the offending host (165.113.216.6) (Nor can a whois him)... I can, however
> ping, telnet, ftp to
> this box (although I don't know the passwords)... It doesn't seem to have a
> name (interesting)...
>
> So, this said, it would appear to me that this box is attached to a network
> where the admin doesn't
> know it exists.
>
> What I appear to be seeing is a series of messages of some sort from this
> machine to mine (on different, successive ports)... My machine seems to
> talk back to this machine as well (on different, successive ports). Shortly
> after the talking occurs, my machine starts trying to blast a gazillion
> packets out to different machines - it looks as if I am being used as part
> of a DOS attack of some sort. Fortunately, my firewall seems to be blocking
> me from sending this crap out to the world.
>
> There seems to be some correlation between some of the talking between mine
> & the mystery machine to what the firewall is blocking, but I can't tell
> exactly what. It seems almost as if there is a daemon running on my machine
> for this, but I can find no evidence of it... I have looked through my rc.d
> directories, and none of them seem to be modified...
>
> I have gone through my box, and I see no evidence of a successful break-in,
> except for the fact that my machine is talking to some other machine. So,
> here are the questions:
>
> 1) Have I been broken into, and how.
> 2) If I have been compromised, how can I find the daemons that may be
> running to do this talking?
> 3) What can I do to keep this from happening again?
>
> In a nutshell... What the heck is going on here?!
The ip seems to be in the address block for crl.com. Their web site
gives an 800 number:
800-727-0793
Give them a buzz and ask to talk to network security about a possible
intrusion.
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
