Hello,
I was pecking away at some work on a workstation,
when I noticed a high amount of activity on my hub, the lights were flashing
like crazy, and I wandered what the heck was going on. I was SSH'ed into
my RedHat 6.2 box, where all of the traffic was coming or going, so I did a ps
auxwww and got the usual stuff and:
root 1649 20.5
1.6 1292 500 p0 R 00:03 0:22
ping -f -s 65000 130.34.73.2
So I thought that someone must be trying to flood
ping me or something, so my immediate reaction was to do a killall ping,
which I did, but now it looks like it may fave been trying to flood ping the IP
address of 130.34.73.2. I have checked all of the logs in /var/log/, and haven't
found anything out of the ordinary, and checked the apache log files, nothing
there either... I just don't know if I was being flood pinged, or if someone
hacked into my box and was trying to flood ping the 130... IP, (which I did went
to ipidentify.com and found out that it is an IP of some University in
Japan).
Does anyone have a clue on how that command
could've been exicuted? I am the only one with a logon onto the box, and I have
OpenSSH restricted to only certain IP's here @ my house. It is a RH 6.2
box with Apache 1.3.12, OpenSSH, and QMail. I have ICMP replies disabled in
/etc/sysctl.conf (net.ipv4.icmp_echo_ignore_all=1). And I just don't know what happened, no
one else was logged into my box besides me (as root), and I have telnet, and the
other ports that aren't used disabled, and no files were altered or anything, I
would just like to know what happened exactly, and how to prevent it in the
future.
I am a newbie and appreciate any help you could
provide me with...
Thank you for your time,
Ken
|