From owner-freebsd-hackers  Wed May 10 15:44: 2 2000
Delivered-To: freebsd-hackers@freebsd.org
Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2])
	by hub.freebsd.org (Postfix) with ESMTP id B87A737B5CF
	for <freeBSD-hackers@FreeBSD.ORG>; Wed, 10 May 2000 15:43:57 -0700 (PDT)
	(envelope-from dillon@apollo.backplane.com)
Received: (from dillon@localhost)
	by apollo.backplane.com (8.9.3/8.9.1) id PAA60933;
	Wed, 10 May 2000 15:43:44 -0700 (PDT)
	(envelope-from dillon)
Date: Wed, 10 May 2000 15:43:44 -0700 (PDT)
From: Matthew Dillon <dillon@apollo.backplane.com>
Message-Id: <200005102243.PAA60933@apollo.backplane.com>
To: James Bond <mrbond@jestocost.cosc.morrisville.edu>
Cc: freeBSD-hackers@FreeBSD.ORG
Subject: Re: icmp-response error
References:  <200005102032.QAA11129@jestocost.cosc.morrisville.edu>
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

:Hello hackers.
:I am getting an error message on my box's console that I don't know why I
:am getting. the log file shows:
:
:May  9 23:28:35 djoan /kernel: icmp-response bandwith limit 564/100 pps
:May  9 23:28:36 djoan /kernel: icmp-response bandwith limit 1277/100 pps
:May  9 23:28:37 djoan /kernel: icmp-response bandwith limit 1985/100 pps
:
:The console shows more of the same message but they didn't end up in the log.
:
:Is this a result of some type of attack? If it is, how can I set up my box
:to get more information like what ip it is coming from?.

    Yes, your box is being attacked.  You can use tcpdump while the attack
    is in progress to disect the packets, but these sorts of attacks tend
    to use spoofed (i.e. random) IP addresses, so being able to trace
    them could prove to be difficult.

:the only other thing that I can see that I don't understand is two connections
:in my netstat that I don't know why they are there:
:
:Active Internet connections
:Proto Recv-Q Send-Q Local Address         Foreign Address       (state)
:tcp        0      0 djoan.telnet          136.204.177.9.1847    ESTABLISHED
:tcp        0     40 djoan.ssh             jestocost.1950        ESTABLISHED
:tcp        0      0 djoan.1180            irc.Stanford.EDU.6667 ESTABLISHED
:tcp        0      0 djoan.telnet          136.204.176.156.1030  ESTABLISHED
:tcp        0      0 djoan.1144            irc-w1.concentri.6667 ESTABLISHED
:udp        0      0 djoan.1171            snymoraa.morrisv.doma 
:
:I don't know why the two irc servers are connected, or what the ports are
:for. None of my other boxes show anything unusual.
:
:When it comes to ip I am still learning how to protect myself. Any information
:will be appreciated, as well as pointers to web pages or man pages of course.
:
:Thank you for any help.
:
:James.

    There are two processes on your system that are connecting to two
    different IRC servers.  You should be able to locate the processes
    with 'ps axl'.  If they are hidden (masquarading as some other typical
    process name), you can track them down with 'netstat -taA' to get the 
    protocol address of the socket and then fstat to figure out which 
    process owns the socket.  This can get rather sophisticated, so you 
    should stick to a straight 'ps axl' if you can.

    If these irc processes are not supposed to be there, your system 
    may have been hacked.

					-Matt
					Matthew Dillon 
					<dillon@backplane.com>


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message