[ale] Error messages

Nick Travis lists at wormfishin.com
Wed Mar 17 22:37:10 EST 2004 

I got an email from my ISP today saying that they think I have a virus on my
network, The public IP address that they saw the traffic on is a linux
webserver(running red hat), I checked out my /var/log/messages and this is
what I found:
Mar 15 04:02:00 web anacron[3212]: Updated timestamp for job `cron.daily' to
2004-03-15
Mar 16 04:02:01 web anacron[3732]: Updated timestamp for job `cron.daily' to
2004-03-16
Mar 16 06:09:49 web rpc.statd[362]: gethostbyname error for
^X???^X???^Y???^Y???^Z???^Z???^[???^[???bffff750 8049710 8052c1868746567
6274736f6d616e797265206520726f7220726f66

    bffff718
         bffff719  bffff71a

bffff71b~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
Mar 16 06:51:26 web kernel: linsniffer uses obsolete (PF_INET,SOCK_PACKET)
Mar 16 06:51:26 web kernel: eth0: Promiscuous mode enabled.
Mar 16 06:51:26 web kernel: device eth0 entered promiscuous mode
Mar 16 09:37:37 web kernel: neighbour table overflow
Mar 16 09:37:37 web last message repeated 9 times
Mar 16 09:38:37 web kernel: NET: 253 messages suppressed.
Mar 16 09:38:37 web kernel: neighbour table overflow
Mar 16 09:38:39 web last message repeated 9 times
Mar 16 09:38:45 web kernel: NET: 220 messages suppressed.
Mar 16 09:38:45 web kernel: neighbour table overflow
Mar 16 09:38:47 web kernel: NET: 962 messages suppressed.
Mar 16 09:38:47 web kernel: neighbour table overflow
Mar 16 09:38:52 web kernel: NET: 3353 messages suppressed.
Mar 16 09:38:52 web kernel: neighbour table overflow
Mar 16 09:38:57 web kernel: NET: 3638 messages suppressed.
Mar 16 09:38:57 web kernel: neighbour table overflow
Mar 16 09:39:02 web kernel: NET: 3482 messages suppressed.
Mar 16 09:39:02 web kernel: neighbour table overflow
Mar 16 09:39:07 web kernel: NET: 3524 messages suppressed.
Mar 16 09:39:07 web kernel: neighbour table overflow
Mar 16 09:39:12 web kernel: NET: 3526 messages suppressed.
Mar 16 09:39:12 web kernel: neighbour table overflow
Mar 16 09:39:17 web kernel: NET: 3525 messages suppressed.

I continued getting these messages every 5 seconds until 3:30pm on the 16th
and it suddenly stopped.  Has anyone seen this before?  According to the log
file the last time someone logged in was the 14th, which was me, and I'm the
only one with access to the system.  My ISP gave me the following log:

Time Zone: UTC

Event Date Time, Destination IP, IP Protocol, Target Port, Issue
Description, Source Port, Event Count

EventRecord: 16 Mar 2004 20:01:47, 10.1.x.x, 6, 111, RPC Exploits, 3990, 1

EventRecord: 16 Mar 2004 19:59:28, 69.162.x.x, 6, 111, RPC Exploits, 4699, 1

EventRecord: 16 Mar 2004 19:57:50, 69.162.x.x, 6, 111, RPC Exploits, 4766, 1

EventRecord: 16 Mar 2004 19:26:16, 69.140.x.x, 6, 111, RPC Exploits, 4730, 1

EventRecord: 16 Mar 2004 18:05:04, 69.81.x.x, 6, 111, RPC Exploits, 3428, 1

EventRecord: 16 Mar 2004 16:53:43, 69.40.x.x, 6, 111, RPC Exploits, 3267, 1

EventRecord: 16 Mar 2004 15:19:00, 69.22.x.x, 6, 111, RPC Exploits, 3433, 1

Any thoughts would be greatly appriciated.



Nick






-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
If you have any questions please contact nick at precisionmillworks.com
Mailscanner thanks transtec Computers for their support.

More information about the Ale mailing list