Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230

 

 

 

something is using my modem

If none of the specific sub-forums seem right for your thread, ask here.
Post Reply
Message
Author
Bulkley
Posts: 6383
Joined: 2006-02-11 18:35
Has thanked: 2 times
Been thanked: 39 times

something is using my modem

#1 Post by Bulkley »

My ADSL modem is going active when I'm not doing anything. GKRellm indicates disc and eth0 activity; lots of it. This is when it should be idle. So, what do I look for?

The machine runs Debian Linux (upgraded from Libranet 2.0. There is no other OS on it. I have Firestarter running. There is an anti-rootkit tool. I have Tripwire but don't really know what to do with it. I've looked in Syslog, but can't tell anything useful.

How do I tell what's happening? If I have been invaded, how do I tell? What do I do next?

lacek
Posts: 764
Joined: 2004-03-11 18:49
Location: Budapest, Hungary
Contact:

#2 Post by lacek »

Install ethereal, and sniff your network traffic when you think you don't do anything. Then you'll see what your system tries to communicate and where.
If you can't understand the output of ethereal, just ask here.

Bulkley
Posts: 6383
Joined: 2006-02-11 18:35
Has thanked: 2 times
Been thanked: 39 times

#3 Post by Bulkley »

Thanks. Ok, Ethereal prints out a pile of these:
34.246796 210.65.231.206 -> Broadcast ARP Who has 216.86.126.220? Tell 210.65.231.206
They all tell 210.65.231.206. What's happening?

lacek
Posts: 764
Joined: 2004-03-11 18:49
Location: Budapest, Hungary
Contact:

#4 Post by lacek »

It means that the computer which has the IP of 210.65.231.206 wants to communicate with 216.86.126.220, but it doesn't know its MAC address. Every communication through etherenet networks go by MAC address. So, if a computer wants to know where to send a TCP frame, it needs the MAC address of the recipient. If it doesn't know, it sends a broadcast request such as the one you mentioned, and waits for an answer.

It seems like if 210.65.231.206 wanted to send something for 216.86.126.220, but this host does not exists, or offline, or something like this.

Bulkley
Posts: 6383
Joined: 2006-02-11 18:35
Has thanked: 2 times
Been thanked: 39 times

#5 Post by Bulkley »

Is this hostile? Is someone trying, or succeeding, to invade my system? This started recently and there's an awful lot of it. How do I stop it?

Also, there are lines with:
30.788017 Cisco_42:ed:9f -> CDP/VTP CDP Cisco Discovery Protocol
What's that?

Bulkley
Posts: 6383
Joined: 2006-02-11 18:35
Has thanked: 2 times
Been thanked: 39 times

#6 Post by Bulkley »

Id did a whois on that IP and got:
$ whois 210.65.231.206
Precious Technology Ltd.
11F, No. 263, Sec. 4, Hsin Yi Rd,
Taipei
TW

Netname: PATELE-NET
Netblock: 210.65.231.128/25

Administrator contact:
Sam Chen (SC8-TW) sam1215@tpts8.seed.net.tw
+886-2-2754-1700

Technical contact:
AL Kuo (AK14-TW) kuo@patele.com
+886-2-2754-1700
What?

Post Reply