Re: [TCLUG:2438] Somethings ... STATUS REPORT

[Richard Seymour <rseymour@anarchysoftware.com>]

With the help of Gordon last night (until about 2:00 am) we kind've got a
picture as to what's happening.

Both Gordon and I think that someone is attempting to relay off my system.

On advice from people on this and another list, we began watching the
output of tcdump for eth1 (which is connected to the router). Aside from
what we were running, we saw a zillion packets going from and to:

	bourbon.NetVision.Net.il

traceroute shows this to have an ip of 199.203.100.253.

After much learning and practicing, we (mostly Gordon) set up a firewall
that killed any packets going to or coming from that ip address. This
prevented whatever errant process on my system from initiating the
unwanted connection, but the connection coming in would have to be
connected in order to hit the firewall and get rejected.

Between 1:00 am and 5:40 this morning I logged about six pages (tiny
print) of packets trying to get in that hit the firewall and were denied.
At that point whatever was trying to get in gave up for a while. Since
then I get a few packets every hour, but not often enough to keep my
connection alive forever.

I have a request into my ISP to stop these incoming packets from being
sent on to me, which would complete my task of keeping my phone bill from
skyrocketing.

Left to figure out:

* Was / Is there a process running on my system that needs to be removed
or cleaned up?
* How can I set up a better (more suited to my needs) firewall that will
be more preventive in nature, but still allow me to get my work done?
* What else might have been comprimised? Passwords?
* Who did this? What were they doing? Will I get blamed for it? Etc.?
* If this _wasn't_ an attack from the outside, what could it have been?

Anything more? (My mind is reeling.)

--
Richard Seymour, Anarchy Software, Inc.
anarchy@anarchysoftware.com

The opinions expressed are those of my employer, not my own.