Hmm, this sure seems like you've been hacked. Your machine is flood pinging another machine and your root account is used for it. When you're hacked, the hacker usually uses your machine to try to crack the hosts that it is directly attached to. I believe they attack by flood pinging it or doing exhausting port scans to try to confuse the networking daemons. Perhaps if the daemons get too confused they open holes in the security mechanism. You might want to check for the following signs: - is there an entry in your /etc/passwd file that shouldn't be there? - is there a daemon enabled in /etc/inetd.conf that shouldn't be? (these only show up in your process list when someone is logged in) - are there processes running that you haven't started? - check /var/log/messages for messages like "Accepted password for ...", is there any logon by someone other than you? They may be logging in as root or as lp (lineprinter), in which case you won't even find an unusual entry in your passwordlist - Do a find / -name ... as root. replace ... by known hacking tools like synk4 or powerdrop or synscan or nmap. see sites like http://www.hoobie.net/security/exploits/index.html for more. - Use netstat to see all your connections and see if there is a conspicuous one. If you are hacked, your only option is to completely re-install, upgrade everything that is possible. completely change all your passwords, totally restrict your firewall rules and check all your other machines. All the binaries may have been tempered with. There are such things as recompiled mingetty binaries that give all access to user X without checking the password file. Good luck, you're not the first that's screwed over :( Serge Maandag. -----Original Message----- From: Ken Jansons [mailto:sysadmin@colinux.net] Sent: dinsdag 19 december 2000 1:42 To: linux-admin@vger.kernel.org Cc: linux-net@vger.kernel.org Subject: Was I hacked or Flood Pinged? Hello, I was pecking away at some work on a workstation, when I noticed a high amount of activity on my hub, the lights were flashing like crazy, and I wandered what the heck was going on. I was SSH'ed into my RedHat 6.2 box, where all of the traffic was coming or going, so I did a ps auxwww and got the usual stuff and: root 1649 20.5 1.6 1292 500 p0 R 00:03 0:22 ping -f -s 65000 130.34.73.2 So I thought that someone must be trying to flood ping me or something, so my immediate reaction was to do a killall ping, which I did, but now it looks like it may fave been trying to flood ping the IP address of 130.34.73.2. I have checked all of the logs in /var/log/, and haven't found anything out of the ordinary, and checked the apache log files, nothing there either... I just don't know if I was being flood pinged, or if someone hacked into my box and was trying to flood ping the 130... IP, (which I did went to ipidentify.com and found out that it is an IP of some University in Japan). Does anyone have a clue on how that command could've been exicuted? I am the only one with a logon onto the box, and I have OpenSSH restricted to only certain IP's here @ my house. It is a RH 6.2 box with Apache 1.3.12, OpenSSH, and QMail. I have ICMP replies disabled in /etc/sysctl.conf (net.ipv4.icmp_echo_ignore_all=1). And I just don't know what happened, no one else was logged into my box besides me (as root), and I have telnet, and the other ports that aren't used disabled, and no files were altered or anything, I would just like to know what happened exactly, and how to prevent it in the future. I am a newbie and appreciate any help you could provide me with... Thank you for your time, Ken sysadmin@colinux.net - : send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org
