Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 10 May 2000 20:27:43 -0400 (EDT)
From:      Brian Dean <bsd@bsdhome.com>
To:        James Bond <mrbond@jestocost.cosc.morrisville.edu>
Cc:        freeBSD-hackers@FreeBSD.ORG
Subject:   Re: icmp-response error
Message-ID:  <Pine.BSF.4.21.0005102016400.32334-100000@vger.bsdhome.com>
In-Reply-To: <200005102032.QAA11129@jestocost.cosc.morrisville.edu>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wed, 10 May 2000, James Bond wrote:

> Hello hackers.
> I am getting an error message on my box's console that I don't know why I
> am getting. the log file shows:
> 
> May  9 23:28:35 djoan /kernel: icmp-response bandwith limit 564/100 pps
> May  9 23:28:36 djoan /kernel: icmp-response bandwith limit 1277/100 pps
> May  9 23:28:37 djoan /kernel: icmp-response bandwith limit 1985/100 pps
> 
> The console shows more of the same message but they didn't end up in the log.
> 
> Is this a result of some type of attack? If it is, how can I set up my box
> to get more information like what ip it is coming from?.

I get this when I port scan my own machine, so I presume this could be
happening to you as well.  This is most likly someone trying to
determine your machine's weakness, which may or may not be followed by
an assault.  You may want to install the portsentry port (see
/usr/ports/security/portsentry).  I don't use it myself, but I've
heard others mention it.

You may want to consider setting up a firewall, which will block all
but the services you explicitly allow, and you can set it up to log
all attempted accesses.  I get a handful of pokes and prods on my
machine every day, but the only time I've been portscanned is when
I've initiated it myself.

> the only other thing that I can see that I don't understand is two
> connections in my netstat that I don't know why they are there:
>
> Active Internet connections
> Proto Recv-Q Send-Q Local Address         Foreign Address       (state)
> tcp        0      0 djoan.telnet          136.204.177.9.1847    ESTABLISHED
> tcp        0     40 djoan.ssh             jestocost.1950        ESTABLISHED
> tcp        0      0 djoan.1180            irc.Stanford.EDU.6667 ESTABLISHED
> tcp        0      0 djoan.telnet          136.204.176.156.1030  ESTABLISHED
> tcp        0      0 djoan.1144            irc-w1.concentri.6667 ESTABLISHED
> udp        0      0 djoan.1171            snymoraa.morrisv.doma 
> Active UNIX domain sockets
> Address  Type   Recv-Q Send-Q    Inode     Conn     Refs  Nextref Addr
> c4c07f40 stream      0      0 c4bfa280        0        0        0 /var/run/printer
> c4c07ec0 dgram       0      0        0 c4bfdfc0        0 c4c07e40
> c4c07e40 dgram       0      0        0 c4bfdfc0        0 c4c07f00
> c4c07f00 dgram       0      0        0 c4bfdfc0        0 c4c07f80
> c4c07f80 dgram       0      0        0 c4bfdfc0        0 c4c07fc0
> c4c07fc0 dgram       0      0        0 c4bfdfc0        0        0
> c4bfdfc0 dgram    4068      0 c4bfcbc0        0 c4c07ec0        0 /var/run/log
> 
> I don't know why the two irc servers are connected, or what the ports are
> for. None of my other boxes show anything unusual.
> 
> When it comes to ip I am still learning how to protect myself. Any
> information will be appreciated, as well as pointers to web pages or
> man pages of course.

A while back, I wrote a simplistic, but effect script to print out
information about who has a particular port open.  Try running the
following program with the argument '1180' or '1144' (for your above
sample output - the port numbers you are interested in).  It should
print out information about the process that has those ports open.
I've found this handy, maybe you will too.

------------------------------------------------------------
#!/bin/ksh

port=$1

netstat=/usr/bin/netstat
grep=/usr/bin/grep
head=/usr/bin/head
ps=/bin/ps
cut=/usr/bin/cut
echo=/bin/echo
tr=/usr/bin/tr
fstat=/usr/bin/fstat


addr=`$netstat -a -A -f inet | $grep $port | $head -1 | $cut -f1 -d' '`


$ps aux  | $tr -s ' ' | $cut -f2 -d' ' | $grep -v PID | \
  while read pid; do
    match=`fstat -p $pid | grep $addr`
    rc=$?
    if [ "$rc" -eq 0 ]; then
      $echo
      $echo "Process $pid:"
      $echo
      $ps -auxp $pid
      $echo
      $netstat -a -A -f inet | $grep $port
      $echo
      $fstat -p $pid
      $echo
    fi
  done
------------------------------------------------------------

Good Luck!

-Brian
-- 
Brian Dean
bsd@FreeBSD.ORG



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0005102016400.32334-100000>