From owner-freebsd-stable Sat Mar 31 6:10:44 2001 Delivered-To: freebsd-stable@freebsd.org Received: from net2.dinoex.sub.org (net2.dinoex.de [212.184.201.182]) by hub.freebsd.org (Postfix) with ESMTP id 5E9C037B719 for ; Sat, 31 Mar 2001 06:10:40 -0800 (PST) (envelope-from dirk.meyer@dinoex.sub.org) Received: from gate.dinoex.sub.org (dinoex@localhost) by net2.dinoex.sub.org (8.11.3/8.11.3) with BSMTP id f2VEA6w22486; Sat, 31 Mar 2001 16:10:06 +0200 (CEST) (envelope-from dirk.meyer@dinoex.sub.org) To: freebsd-stable@FreeBSD.ORG, nturki@adelphia.net Message-ID: From: dirk.meyer@dinoex.sub.org (Dirk Meyer) Organization: privat Subject: Re: Limiting closed port RST response Date: Sat, 31 Mar 2001 16:06:04 +0200 X-Mailer: Dinoex 1.77 References: <3AC57013.7801BB31@adelphia.net> X-Gateway: ZCONNECT gate.dinoex.sub.org [UNIX/Connect 0.91] X-Accept-Language: de,en X-PGP-Fingerprint: 44 16 EC 0A D3 3A 4F 28 8A 8A 47 93 F1 CF 2F 12 X-Noad: Please don't send me ad's by mail. I'm bored by this type of mail. X-Copyright: (C) Copyright 1999 by Dirk Meyer -- All rights reserved. X-Note: sending SPAM is a violation of both german and US law and will at least trigger a complaint at your provider's postmaster. X-PGP-Key-Avail: mailto:pgp-public-keys@keys.de.pgp.net Subject:GET 0x331CDA5D X-ZC-VIA: 20010331000000S+2@dinoex.sub.org Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Nader Turki wrote:, > Mar 30 18:43:03 shell /kernel: Limiting closed port RST response from > 2014 to 200 packets per second Sombody sends a hell of packages to your IP. Someone spoof an IP and might user your serve rto bounce the packages against someone else. > Mar 30 20:56:03 shell /kernel: xl0: promiscuous mode enabled > Mar 30 20:56:42 shell /kernel: xl0: promiscuous mode disabled > Mar 30 20:56:42 shell /kernel: xl0: promiscuous mode enabled > Mar 30 20:57:03 shell /kernel: xl0: promiscuous mode disabled > Mar 30 20:58:42 shell /kernel: xl0: promiscuous mode enabled > Mar 30 20:58:42 shell /kernel: xl0: promiscuous mode disabled Did you use tcpdump or ngrep? > the isp is telling me that it's going out of the machine. nobody got > root but me and even after i killed all the procs. it kept doing the > same thing. Please watch your network, your box could be exploited. Take it offline and find out what it do. Active a Packet-Firewall to filter this at least. look into /etc/rc.firewall then activate the option fits best. To watach what is happeing, call "init 1" and run tcpdump from your consolse. Processes may be hiding, but in siggle-user mode you are more safer against a installed "rootkit" kind regards Dirk - Dirk Meyer, Im Grund 4, 34317 Habichtswald, Germany To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message