something is using my modem

If none of the more specific forums is the right place to ask

something is using my modem

Postby Bulkley » 2006-02-24 03:44

My ADSL modem is going active when I'm not doing anything. GKRellm indicates disc and eth0 activity; lots of it. This is when it should be idle. So, what do I look for?

The machine runs Debian Linux (upgraded from Libranet 2.0. There is no other OS on it. I have Firestarter running. There is an anti-rootkit tool. I have Tripwire but don't really know what to do with it. I've looked in Syslog, but can't tell anything useful.

How do I tell what's happening? If I have been invaded, how do I tell? What do I do next?
Bulkley
 
Posts: 5831
Joined: 2006-02-11 18:35

Postby lacek » 2006-02-24 09:58

Install ethereal, and sniff your network traffic when you think you don't do anything. Then you'll see what your system tries to communicate and where.
If you can't understand the output of ethereal, just ask here.
lacek
Moderator Team Member
 
Posts: 769
Joined: 2004-03-11 18:49
Location: Budapest, Hungary

Postby Bulkley » 2006-02-24 16:36

Thanks. Ok, Ethereal prints out a pile of these:

34.246796 210.65.231.206 -> Broadcast ARP Who has 216.86.126.220? Tell 210.65.231.206


They all tell 210.65.231.206. What's happening?
Bulkley
 
Posts: 5831
Joined: 2006-02-11 18:35

Postby lacek » 2006-02-24 16:44

It means that the computer which has the IP of 210.65.231.206 wants to communicate with 216.86.126.220, but it doesn't know its MAC address. Every communication through etherenet networks go by MAC address. So, if a computer wants to know where to send a TCP frame, it needs the MAC address of the recipient. If it doesn't know, it sends a broadcast request such as the one you mentioned, and waits for an answer.

It seems like if 210.65.231.206 wanted to send something for 216.86.126.220, but this host does not exists, or offline, or something like this.
lacek
Moderator Team Member
 
Posts: 769
Joined: 2004-03-11 18:49
Location: Budapest, Hungary

Postby Bulkley » 2006-02-24 17:01

Is this hostile? Is someone trying, or succeeding, to invade my system? This started recently and there's an awful lot of it. How do I stop it?

Also, there are lines with:

30.788017 Cisco_42:ed:9f -> CDP/VTP CDP Cisco Discovery Protocol


What's that?
Bulkley
 
Posts: 5831
Joined: 2006-02-11 18:35

Postby Bulkley » 2006-02-24 19:53

Id did a whois on that IP and got:

$ whois 210.65.231.206
Precious Technology Ltd.
11F, No. 263, Sec. 4, Hsin Yi Rd,
Taipei
TW

Netname: PATELE-NET
Netblock: 210.65.231.128/25

Administrator contact:
Sam Chen (SC8-TW) sam1215@tpts8.seed.net.tw
+886-2-2754-1700

Technical contact:
AL Kuo (AK14-TW) kuo@patele.com
+886-2-2754-1700


What?
Bulkley
 
Posts: 5831
Joined: 2006-02-11 18:35


Return to General Questions

Who is online

Users browsing this forum: reinob and 17 guests

fashionable