|
Hello,
I was pecking away at some work on a workstation,
when I noticed a high amount of activity on my hub, the lights were flashing
like crazy, and I wandered what the heck was going on. I was SSH'ed into
my RedHat 6.2 box, where all of the traffic was coming or going, so I did a ps
auxwww and got the usual stuff and:
root 1649 20.5
1.6 1292 500 p0 R 00:03 0:22
ping -f -s 65000 130.34.73.2
So I thought that someone must be trying to flood
ping me or something, so my immediate reaction was to do a killall ping,
which I did, but now it looks like it may fave been trying to flood ping the IP
address of 130.34.73.2. I have checked all of the logs in /var/log/, and haven't
found anything out of the ordinary, and checked the apache log files, nothing
there either... I just don't know if I was being flood pinged, or if someone
hacked into my box and was trying to flood ping the 130... IP, (which I did went
to ipidentify.com and found out that it is an IP of some University in Japan).
Does anyone have a clue on how that command could've been exicuted? I am pretty
much the only one with a logon onto the box, it is a RH 6.2 box with Apache
1.3.12, OpenSSH, and QMail. I have ICMP replies disabled in /etc/sysctl.conf
(net.ipv4.icmp_echo_ignore_all=1). And I just
don't know what happened, no one else was logged into my box besides me (as
root), and I have telnet, and the other ports that aren't used disabled, and no
files were altered or anything, I would just like to know what happened exactly,
and how to prevent it in the future.
I am a newbie and appreciate any help you could
provide me with...
Thank you for your time,
Ken
|
