-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 . For the past several days I've gotten a finger on my ssl port, once a day. Each time I answered it with an nmap, and each time it was from a different country: China, Taiwan, Australia, and each time the machine was a Suse with kernel 2.1. =Yesterday= when I answered with nmap, he immediately responded with about 15 more fingers on the SSL port before I hung up. I reconnected, and quiet after that. Here's what I saw: sshd-::ffff:61.132.90.10 unknown Date: Thu, 13 Jun 2002 21:17:30 -0500 (CDT) From: root@hydra.darkmatter.org (root) To: root@hydra.darkmatter.org finger: Connection refused sshd-::ffff:210.243.244.245 root Date: Fri, 14 Jun 2002 19:40:28 -0500 (CDT) From: root@hydra.darkmatter.org (root) To: root@hydra.darkmatter.org [::ffff:210.243.244.245/::ffff:210.243.244.245] No one logged on. sshd-::ffff:213.227.69.224 unknown Date: Sat, 15 Jun 2002 20:26:16 -0500 (CDT) From: root@hydra.darkmatter.org (root) To: root@hydra.darkmatter.org finger: Connection refused sshd-::ffff:144.132.25.77 unknown Date: Sun, 16 Jun 2002 11:24:31 -0500 (CDT) From: root@hydra.darkmatter.org (root) To: root@hydra.darkmatter.org finger: Connection refused After this one I got the 15 from the same place in response to my scan. So obviously he has enough control over these machines to know I'm scanning him. ppp0 Link encap:Point-to-Point Protocol inet addr:64.24.136.21 P-t-P:192.168.254.1 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1 RX packets:13454 errors:0 dropped:0 overruns:0 frame:0 TX packets:14136 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:3 RX bytes:5481292 (5.2 Mb) TX bytes:1921173 (1.8 Mb) Yesterday after the onslaught I noticed that suddenly I was sending OUT as much traffic as I was getting IN, while browsing! Could this be a clumsy hijacking? I turned off Squid & Junkbuster, turned off SSL & Apache, tried Konq & Netscape, tried IE through VMware, hung up & reconnected with a different IP, and rebooted. Always sending as much as receiving. hydra:/proc/sys/net/ipv4/conf/ppp0 # cat forwarding 1 There is no place in Yast to set this! Why is this on?! Do I have to turn it off in boot.local? (Setting this off didn't fix the problem) Am I compromised? This doesn't remind me of any compromises I know. Why am I suddenly sending as much as I receive, while I'm receiving? - -- Philosophy will clip an angel's wings. -- John Keats -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj0ODEkACgkQnQ18+PFcZJs3PACeKSp5Z+M+z8lVbPs5CESu3/4D P/QAnRagSGrJCwCqwix3Kan2WmVPuWMU =6TuZ -----END PGP SIGNATURE-----
participants (1)
-
Carl