On tirsdag 18. mai 2004, 14:17, Javier Fernández-Sanguino Peña wrote:
> On Thu, May 13, 2004 at 09:02:45PM +0200, Kjetil Kjernsmo wrote:
> > Hm, chkrootkit says that eth0 is not promiscuous... And as I said,
> > I don't think I ever got Snort to work right... :-)
>
> Are you sure that's not a bug i
On Thu, May 13, 2004 at 05:52:36PM +0200, Kjetil Kjernsmo wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hi all!
>
> In turn to you with a bit of desperation now. It feels like I'm under
(...)
> And I can't for the life of me figure out where it's coming from...
(...)
I know the
On Thu, May 13, 2004 at 09:02:45PM +0200, Kjetil Kjernsmo wrote:
>
> Hm, chkrootkit says that eth0 is not promiscuous... And as I said, I
> don't think I ever got Snort to work right... :-)
Are you sure that's not a bug in chkrootkit (false negative)? I introduced
a change in the Tiger [1] due
On tirsdag 18. mai 2004, 14:17, Javier Fernández-Sanguino Peña wrote:
> On Thu, May 13, 2004 at 09:02:45PM +0200, Kjetil Kjernsmo wrote:
> > Hm, chkrootkit says that eth0 is not promiscuous... And as I said,
> > I don't think I ever got Snort to work right... :-)
>
> Are you sure that's not a bug i
On Thu, May 13, 2004 at 05:52:36PM +0200, Kjetil Kjernsmo wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hi all!
>
> In turn to you with a bit of desperation now. It feels like I'm under
(...)
> And I can't for the life of me figure out where it's coming from...
(...)
I know the
On Thu, May 13, 2004 at 09:02:45PM +0200, Kjetil Kjernsmo wrote:
>
> Hm, chkrootkit says that eth0 is not promiscuous... And as I said, I
> don't think I ever got Snort to work right... :-)
Are you sure that's not a bug in chkrootkit (false negative)? I introduced
a change in the Tiger [1] due
On torsdag 13. mai 2004, 22:10, Florian Weimer wrote:
> * Kjetil Kjernsmo:
> > Oh, I see. But one thing I do not understand, it doesn't seem like
> > this traffic is directed at me, since it's not my address that's
> > the destination...? Are they routing their traffic through me or
> > something?
* Kjetil Kjernsmo:
> Oh, I see. But one thing I do not understand, it doesn't seem like this
> traffic is directed at me, since it's not my address that's the
> destination...? Are they routing their traffic through me or something?
It's some odd switch-router whose forwarding table is overflo
On torsdag 13. mai 2004, 20:37, Gian Piero Carrubba wrote:
> Il gio, 2004-05-13 alle 19:53, Kjetil Kjernsmo ha scritto:
>
> [...]
>
> > 19:41:32.083993 217.77.34.162.2090 > 226.58.55.41.1434: udp 376
> > [ttl 1] 19:41:32.192344 217.77.34.162.2090 > 234.247.236.46.1434:
> > udp 376 [ttl 1]
>
> A s
Il gio, 2004-05-13 alle 19:53, Kjetil Kjernsmo ha scritto:
[...]
> 19:41:32.083993 217.77.34.162.2090 > 226.58.55.41.1434: udp 376 [ttl 1]
> 19:41:32.192344 217.77.34.162.2090 > 234.247.236.46.1434: udp 376 [ttl
> 1]
A switched lan, I see ;)
It can be slammer [1] (if so, I guess why the ISP te
On torsdag 13. mai 2004, 20:15, Lars Ellenberg wrote:
> > 19:41:29.675637 217.77.34.162.2090 > 234.195.198.113.1434: udp 376
> > [ttl 1]
>
> ok, chances are that 217.77.34.162 runs an unpatches MS-SQL server,
> was infected, and now tries to compromise the world, and its own
> subnet, where you h
On Thu, May 13, 2004 at 07:53:33PM +0200, Kjetil Kjernsmo wrote:
> 19:41:32.083993 217.77.34.162.2090 > 226.58.55.41.1434: udp 376 [ttl 1]
> 19:41:32.192344 217.77.34.162.2090 > 234.247.236.46.1434: udp 376 [ttl
> 1]
>
> M, I don't know what machine 217.77.34.162 is, but I wouldn't be
> su
On torsdag 13. mai 2004, 22:10, Florian Weimer wrote:
> * Kjetil Kjernsmo:
> > Oh, I see. But one thing I do not understand, it doesn't seem like
> > this traffic is directed at me, since it's not my address that's
> > the destination...? Are they routing their traffic through me or
> > something?
/ 2004-05-13 19:53:33 +0200
\ Kjetil Kjernsmo:
> On torsdag 13. mai 2004, 19:32, Robert Jakubowski wrote:
> > The best way to see what is going on is to dump the traffic to a file
> > and analyse it. Tcpdump and ethereal are great tools for that
> > purpose.
>
> Great! Reagan Blundell also told me
* Kjetil Kjernsmo:
> Oh, I see. But one thing I do not understand, it doesn't seem like this
> traffic is directed at me, since it's not my address that's the
> destination...? Are they routing their traffic through me or something?
It's some odd switch-router whose forwarding table is overflo
On torsdag 13. mai 2004, 19:32, Robert Jakubowski wrote:
> The best way to see what is going on is to dump the traffic to a file
> and analyse it. Tcpdump and ethereal are great tools for that
> purpose.
Great! Reagan Blundell also told me about them offline.
> Ethereal will make the job easier
Kjetil Kjernsmo wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi all!
In turn to you with a bit of desperation now. It feels like I'm under
some kind of attack. Maybe I've even been compromised. The last few
days, I've experienced an insane and constant amount of incoming
traffic. I'm
The best way to see what is going on is to dump the traffic to a file and
analyse it. Tcpdump and ethereal are great tools for that purpose.
Ethereal will make the job easier and should give you a clue.
If you are affraid the server has been compromised you have to use another
computer to get reli
On torsdag 13. mai 2004, 20:37, Gian Piero Carrubba wrote:
> Il gio, 2004-05-13 alle 19:53, Kjetil Kjernsmo ha scritto:
>
> [...]
>
> > 19:41:32.083993 217.77.34.162.2090 > 226.58.55.41.1434: udp 376
> > [ttl 1] 19:41:32.192344 217.77.34.162.2090 > 234.247.236.46.1434:
> > udp 376 [ttl 1]
>
> A s
Il gio, 2004-05-13 alle 19:53, Kjetil Kjernsmo ha scritto:
[...]
> 19:41:32.083993 217.77.34.162.2090 > 226.58.55.41.1434: udp 376 [ttl 1]
> 19:41:32.192344 217.77.34.162.2090 > 234.247.236.46.1434: udp 376 [ttl
> 1]
A switched lan, I see ;)
It can be slammer [1] (if so, I guess why the ISP te
On torsdag 13. mai 2004, 20:15, Lars Ellenberg wrote:
> > 19:41:29.675637 217.77.34.162.2090 > 234.195.198.113.1434: udp 376
> > [ttl 1]
>
> ok, chances are that 217.77.34.162 runs an unpatches MS-SQL server,
> was infected, and now tries to compromise the world, and its own
> subnet, where you h
On Thu, May 13, 2004 at 07:53:33PM +0200, Kjetil Kjernsmo wrote:
> 19:41:32.083993 217.77.34.162.2090 > 226.58.55.41.1434: udp 376 [ttl 1]
> 19:41:32.192344 217.77.34.162.2090 > 234.247.236.46.1434: udp 376 [ttl
> 1]
>
> M, I don't know what machine 217.77.34.162 is, but I wouldn't be
> su
/ 2004-05-13 19:53:33 +0200
\ Kjetil Kjernsmo:
> On torsdag 13. mai 2004, 19:32, Robert Jakubowski wrote:
> > The best way to see what is going on is to dump the traffic to a file
> > and analyse it. Tcpdump and ethereal are great tools for that
> > purpose.
>
> Great! Reagan Blundell also told me
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi all!
In turn to you with a bit of desperation now. It feels like I'm under
some kind of attack. Maybe I've even been compromised. The last few
days, I've experienced an insane and constant amount of incoming
traffic. I'm not sure how long it has
On torsdag 13. mai 2004, 19:32, Robert Jakubowski wrote:
> The best way to see what is going on is to dump the traffic to a file
> and analyse it. Tcpdump and ethereal are great tools for that
> purpose.
Great! Reagan Blundell also told me about them offline.
> Ethereal will make the job easier
Kjetil Kjernsmo wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi all!
In turn to you with a bit of desperation now. It feels like I'm under
some kind of attack. Maybe I've even been compromised. The last few
days, I've experienced an insane and constant amount of incoming
traffic. I'm no
The best way to see what is going on is to dump the traffic to a file and
analyse it. Tcpdump and ethereal are great tools for that purpose.
Ethereal will make the job easier and should give you a clue.
If you are affraid the server has been compromised you have to use another
computer to get reli
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi all!
In turn to you with a bit of desperation now. It feels like I'm under
some kind of attack. Maybe I've even been compromised. The last few
days, I've experienced an insane and constant amount of incoming
traffic. I'm not sure how long it has
28 matches
Mail list logo
