[ale] hacker or bad karma

Bao Ha baoh at linuxwizardry.com
Fri Aug 25 09:13:08 EDT 2000



It looks like a routing problem!

Are you running BGP4 on the 3640?  Look at the routing
table to see what is going on.  It could be BellSouth
has screwed up your routing.

Also, check all of the Linux servers and disable routed
or gated on them.  Point them to the default gateway on
the 3640 to prevent them from broadcasting bad routing
data.

Good luck.
Bao

-----Original Message-----
From: owner-ale at ale.org [mailto:owner-ale at ale.org]On Behalf Of Carl
To: ale at ale.org
Forsell
Sent: Thursday, August 24, 2000 10:27 PM
To: ale at ale.org
Subject: [ale] hacker or bad karma


Level of severity:  Business at risk if not resolved soon

Ladies and Gentlemen,
I need your help.  We are an ISP, and have lost most of our tech staff in
the past couple of months, and although I have 10 years in Novell Admin,
this is a whole new world to me.  Here is the problem...

Starting last week, we have been having problems with connectivity.  At
first, all of our dial up lines connect to abd.abc.abc.XXX ip's.  When an
outage would hit, we could go to a machine that is on an xyz.xyz.xyz.xxx ip
address, go to the outside world and do a reverse traceroute.  We could see
the route hit BellSouth (henceforth referred to as BS), come to us on one
T1, hit the router and go back to BS on the second T1, us,them,us,them
untill it died.  Outages last minutes to hours.  During an outage, the lines
do not go down, but can get to the point of 70 -100 B/sec (that is not a
typo) of throughput.

BS says it is our cisco 3640 that is causing the problem... I don't think
so.  We had a consultant snapshot all config files about 2 months ago, then
redo it a few days ago.  The files had not changed.

The problem comes and goes randomly and lasts minutes to hours (2 minutes to
6 hours).  Resetting the interface cards fot the t's and power cycling the
router have no effect.  During tonights outage I telnet'd into the router
and is reported everything was fine.

My question... Is it possible that a former employee (several left with a
grudge) could in some way screwup the DNS on our router in a way that would
not show in the config files?  Are there any Linux eastereggs or bombs that
could flood the routers tables with bogus data?  Any ideas???

(all passwords have been changed and are secure -  8-15 characters mixed
cases, alpha and numeric and puncuation)

We are monitoring the systems with "Big Brother" already.  Is there anything
else I could monitor that might help (any other software)???

PS:  5 minutes after tonights outage one Linux boxes (SUsE 6.2) froze tight
as a drum.  Hitting the keyboard did revive the monitor, but no other signs
of life.  This box was formerly owned by one of the recently departed
employees...

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message
body.

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list