[ale] Linux Box is Garbage Spewer please help!

tewkewl at mindspring.com tewkewl at mindspring.com
Wed Jun 20 15:19:27 EDT 2001 

I would put the box back on the wire as normal and see if it still happens.  I mean...what exactly is "spewing garbage"?  What is garbage?  And what kind of isp is going to send you that type of email?  Do they have any source/destination addresses?  Was the garbage alot of broadcasts?  What is garbage?  What the hell kind of assessment is that?  Were they sniffing your link to see this "garbage"?  Was it packet based?  Or could it have been bad ethernet frames from a nic going haywire?

And promiscuous mode is indeed promiscuous mode...some nics may not be able to drop into full promiscuos (to examine runts and the like) but most are capable of mostly promiscuous. :)  The only problem is that if your isp has your servers running into a switch, the only thing you will see are broadcasts. And I would hate to think that if they are indeed on a switch, that you would be in the same vlan with other customers.  IF that were the case anybody on that switch could play man in the middle against any other customer. 

-Patrick

djinn at djinnspace.com wrote:
> Thanks to all for the advice.  Here's what I've done, if anyone can help
with next steps...

1) run strings against ls, ps, and netstat on a known good (ie, clean)
machine and the machine in question.  diff of the output.  no
difference...

2) run netstat both on machine in question and from floppy with known good
binary (dynamically linked tho...would like to run static binary but can't
find or seem to make one).  nothing wierd going on.

3) run nmap from 3 different external and internal machines to verify the
info I'm getting from netstat on machine in question.  nmap looks fine, no
wierd listners.

4) removed machine in question from network, put it on hub with one other
machine in a closed environment.  Ran tcpdump, poked and prodded,
everything appears normal.

5) put a machine on original network with tcpdump snarfing all packets.

6) put machine in question back on network with tcpdump -i running to
hopefully snarf all outgoing packets.  closed off ports listening, am
about to restart services one at a time to see if traffic goes crazy.
(for the record, this is a beta machine listening to ports 22,80,21,and
3306 only...updated versions of all services).  

So where do I go from here?  This ISP is not exactly knowledgable (i know
more about this stuff than they do, and we can all see how much I know)
and not at all helpful. I don't really know what I'm looking at with
tcpdump...anyone know of any good tutorials out there?  I'm seeing a lot
of stuff bound for IP addresses that the ISP swears can't possibly affect
our segment...is this normal?  In other words, if I have a range of IP
addresses, say 1.2.3.4 - 1.2.3.10, and I have alloted bandwidth for those
IP addresses, and I asked "are there any other machines on this segment
that could be affecting our outbound bandwidth utilization" and got the
answer "absolutely not", should I be seeing packets bound for 2.3.4.5?  I
don't fully understand how promiscuous promiscuous mode is.

Sorry for all the questions, I'm pretty freaked right now b/c I've never
been cracked and honestly, I'm not sure I am now.  Thanks for all the help
so far and TIA for any further assistance.

Jenn

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

More information about the Ale mailing list