Date: Wed, 18 Oct 2006 13:33:03 -0700 From: Chuck Swiger <cswiger@mac.com> To: "Andresen, Jason R." <jandrese@mitre.org> Cc: freebsd-stable@freebsd.org Subject: Re: Runaway kernel? Or an attack? Message-ID: <BC53B472-8E48-4BE4-9011-5BA20D44630F@mac.com> In-Reply-To: <F9F038204EE77C4AA9959A6B3C94AFE8F99CB8@IMCSRV2.MITRE.ORG> References: <F9F038204EE77C4AA9959A6B3C94AFE8F99CB8@IMCSRV2.MITRE.ORG>
next in thread | previous in thread | raw e-mail | index | archive | help
On Oct 18, 2006, at 1:07 PM, Andresen, Jason R. wrote: > Ok, I have a recurring problem with my webserver. Once a day or so it > gets locked into a loop with some random server usually somewhere > in my > ISP. When it does this, it spends all of its time spitting out > packets > and getting FIN, ACKs back. > > Shutting down the HTTP server doesn't stop the traffic. I have to > create firewall rules to block the outgoing traffic to stop it. Frankly, this sounds more like the random remote host has been compromised, rather than your machine, and it is scanning the network for other hosts to attack. What URLs are being requested (check the http logs)? > Here's a short tcpdump of the traffic when it happens, these packets > are going out at a rate of thousands per second. The 192.168.42.2 is > the local host and 192.76.86.83 is the apparently random victim: I'd talk to verizon.com and ask them what is going on from their side with that host... -- -Chuck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?BC53B472-8E48-4BE4-9011-5BA20D44630F>