[opensuse] Outgoing pings from my Webserver, compromised?
Hi list, - I've got an openSuSE 11.0 with an Apache webserver. - From my ASTARO firewall, I see a pile of outgoing trafic, repeated 24/7 every minute. My Firewall is blocking it..., anyone know what it is? 17:57:13 Default DROP ICMP 192.168.0.6 210.163.43.1 len=1044 17:57:23 Default DROP ICMP 192.168.0.6 212.110.79.74 len=1044 Read the above like this...from 192.168.0.6 it's pinging with a large packet to the two external IP's shown. -- ------------------------------ Med venlig hilsen/Best regards Verner Kjærsgaard -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 30.01.2010, Verner Kjærsgaard wrote:
Read the above like this...from 192.168.0.6 it's pinging with a large packet to the two external IP's shown.
You should try to find out what process is sending these pings. A wild guess (because I've seen it before): nscd? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2010-01-30 20:00, Verner Kjærsgaard wrote:
Hi list,
- I've got an openSuSE 11.0 with an Apache webserver. - From my ASTARO firewall, I see a pile of outgoing trafic, repeated 24/7 every minute. My Firewall is blocking it..., anyone know what it is?
17:57:13 Default DROP ICMP 192.168.0.6 210.163.43.1 len=1044
The IP belongs to "Japan Network Information Center"
17:57:23 Default DROP ICMP 192.168.0.6 212.110.79.74 len=1044
The IP belongs to "Republic of Macedonia" Now, the problem is to track the application issuing those pings. - -- Cheers / Saludos, Carlos E. R. (from 11.2 "Emerald" GM (bombadillo)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAktkhVYACgkQU92UU+smfQWDRgCdGLOlH1GiRW2cRqSg/m/IfyDC y5MAnifrme2rKU+xhRrkkD36mdZliid/ =Ruz4 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat, 2010-01-30 at 20:00 +0100, Verner Kjærsgaard wrote:
Hi list,
- I've got an openSuSE 11.0 with an Apache webserver. - From my ASTARO firewall, I see a pile of outgoing trafic, repeated 24/7 every minute. My Firewall is blocking it..., anyone know what it is?
17:57:13 Default DROP ICMP 192.168.0.6 210.163.43.1 len=1044
17:57:23 Default DROP ICMP 192.168.0.6 212.110.79.74 len=1044
Read the above like this...from 192.168.0.6 it's pinging with a large packet to the two external IP's shown.
ICMP is more than just ping, and in the above you don't say if it is ICMP ECHO, it could for example be ICMP ECHO REPLY (a response to a ping), or an ICMP TIME EXCEEDED message (a response to a traceroute for example), or any one of several useful ICMP messages. ICMP is the error handling protocol of the internet, and simply blocking it could lead to unforeseen problems. In this case, if you really don't want to allow the traffic, you should at least try to see what the ICMP message is. 1044 is not a normal size for a ping packet, it's much bigger than usual Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (4)
-
Anders Johansson -
Carlos E. R. -
Heinz Diehl -
Verner Kjærsgaard