[ale] Linux Box is Garbage Spewer please help!
Michael Smith
MSmith at webtonetech.com
Wed Jun 20 15:37:59 EDT 2001
Just a thought... Are you running Samba? I have had a machine spew packets
after it became the primary domain controller at work. I had to change some
settings to appease the Lan Administrator and allow everyone to log in....
What a mess?
Mike
-----Original Message-----
From: djinn at djinnspace.com [mailto:djinn at djinnspace.com]
To: ale at ale.org
Sent: Wednesday, June 20, 2001 2:51 PM
To: Stephen J. Pellicer
Cc: ale at ale.org
Subject: RE: [ale] Linux Box is Garbage Spewer please help!
Thanks to all for the advice. Here's what I've done, if anyone can help
with next steps...
1) run strings against ls, ps, and netstat on a known good (ie, clean)
machine and the machine in question. diff of the output. no
difference...
2) run netstat both on machine in question and from floppy with known good
binary (dynamically linked tho...would like to run static binary but can't
find or seem to make one). nothing wierd going on.
3) run nmap from 3 different external and internal machines to verify the
info I'm getting from netstat on machine in question. nmap looks fine, no
wierd listners.
4) removed machine in question from network, put it on hub with one other
machine in a closed environment. Ran tcpdump, poked and prodded,
everything appears normal.
5) put a machine on original network with tcpdump snarfing all packets.
6) put machine in question back on network with tcpdump -i running to
hopefully snarf all outgoing packets. closed off ports listening, am
about to restart services one at a time to see if traffic goes crazy.
(for the record, this is a beta machine listening to ports 22,80,21,and
3306 only...updated versions of all services).
So where do I go from here? This ISP is not exactly knowledgable (i know
more about this stuff than they do, and we can all see how much I know)
and not at all helpful. I don't really know what I'm looking at with
tcpdump...anyone know of any good tutorials out there? I'm seeing a lot
of stuff bound for IP addresses that the ISP swears can't possibly affect
our segment...is this normal? In other words, if I have a range of IP
addresses, say 1.2.3.4 - 1.2.3.10, and I have alloted bandwidth for those
IP addresses, and I asked "are there any other machines on this segment
that could be affecting our outbound bandwidth utilization" and got the
answer "absolutely not", should I be seeing packets bound for 2.3.4.5? I
don't fully understand how promiscuous promiscuous mode is.
Sorry for all the questions, I'm pretty freaked right now b/c I've never
been cracked and honestly, I'm not sure I am now. Thanks for all the help
so far and TIA for any further assistance.
Jenn
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message
body.
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list