[plug] detecting internet attacks on a Fedora box

dbuddrige at wasp.net.au dbuddrige at wasp.net.au
Tue Nov 21 20:30:18 WST 2006 

Hi all,

I've been on broadband for a couple of months, with my stock 
fedora-core-4 machine.  At first I used to turn off the machine after 
each night, but of late, I've just left it running.

Is there any way to detect whether there are any internet attacks going 
on against my machine?  How would I even know that someone had 
attempted to compromise my machine?  I've not really much of a clue on 
this particular subject.

I ran Ethereal overnight on my ppp0 connection, with my email client 
exited, and my web-browser exited [I'm using a CDMA modem which uses 
the mobile-phone network to connect], and it did log some internet 
traffic, a sample is given below [the full dump is about 41,000 lines 
long, but I don't know whether it is innocent or not.

Can anyone shed any light on this, or can suggest a tool that will tell 
me easily whether someone is attempting to attack my machine, or has 
even compromised it?

thanks

David.


No.     Time        Source                Destination           Protocol Info
      1 0.000000    CPE-60-230-38-88.vic.bigpond.net.au 
CPE-60-230-2-86.vic.bigpond.net.au TCP      3678 > microsoft-ds [SYN] 
Seq=0 Ack=0 Win=53760 Len=0 MSS=1320 WS=3 TSV=0 TSER=0

Frame 1 (80 bytes on wire, 80 bytes captured)
    Arrival Time: Nov 20, 2006 23:18:33.371696000
    Time delta from previous packet: 0.000000000 seconds
    Time since reference or first frame: 0.000000000 seconds
    Frame Number: 1
    Packet Length: 80 bytes
    Capture Length: 80 bytes
    Protocols in frame: sll:ip:tcp
Linux cooked capture
    Packet type: Unicast to us (0)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src Addr: CPE-60-230-38-88.vic.bigpond.net.au 
(60.230.38.88), Dst Addr: CPE-60-230-2-86.vic.bigpond.net.au 
(60.230.2.86)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 64
    Identification: 0xc524 (50468)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 45
    Protocol: TCP (0x06)
    Header checksum: 0xe619 (correct)
    Source: CPE-60-230-38-88.vic.bigpond.net.au (60.230.38.88)
    Destination: CPE-60-230-2-86.vic.bigpond.net.au (60.230.2.86)
Transmission Control Protocol, Src Port: 3678 (3678), Dst Port: 
microsoft-ds (445), Seq: 0, Ack: 0, Len: 0
    Source port: 3678 (3678)
    Destination port: microsoft-ds (445)
    Sequence number: 0    (relative sequence number)
    Header length: 44 bytes
    Flags: 0x0002 (SYN)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...0 .... = Acknowledgment: Not set
        .... 0... = Push: Not set
        .... .0.. = Reset: Not set
        .... ..1. = Syn: Set
        .... ...0 = Fin: Not set
    Window size: 53760
    Checksum: 0x754c (correct)
    Options: (24 bytes)
        Maximum segment size: 1320 bytes
        NOP
        Window scale: 3 (multiply by 8)
        NOP
        NOP
        Time stamp: tsval 0, tsecr 0
        NOP
        NOP
        SACK permitted

No.     Time        Source                Destination           Protocol Info
      2 0.000301    CPE-60-230-2-86.vic.bigpond.net.au 
CPE-60-230-38-88.vic.bigpond.net.au ICMP     Destination unreachable 
(Host administratively prohibited)

Frame 2 (108 bytes on wire, 108 bytes captured)
    Arrival Time: Nov 20, 2006 23:18:33.371997000
    Time delta from previous packet: 0.000301000 seconds
    Time since reference or first frame: 0.000301000 seconds
    Frame Number: 2
    Packet Length: 108 bytes
    Capture Length: 108 bytes
    Protocols in frame: sll:ip:icmp:ip:tcp
Linux cooked capture
    Packet type: Sent by us (4)
    Link-layer address type: 512
    Link-layer address length: 0
    Source: <MISSING>
    Protocol: IP (0x0800)
Internet Protocol, Src Addr: CPE-60-230-2-86.vic.bigpond.net.au 
(60.230.2.86), Dst Addr: CPE-60-230-38-88.vic.bigpond.net.au 
(60.230.38.88)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0xc0 (DSCP 0x30: Class Selector 6; 
ECN: 0x00)
        1100 00.. = Differentiated Services Codepoint: Class Selector 6 (0x30)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 92
    Identification: 0x1748 (5960)
    Flags: 0x00
        0... = Reserved bit: Not set
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: ICMP (0x01)
    Header checksum: 0xc01f (correct)
    Source: CPE-60-230-2-86.vic.bigpond.net.au (60.230.2.86)
    Destination: CPE-60-230-38-88.vic.bigpond.net.au (60.230.38.88)
Internet Control Message Protocol
    Type: 3 (Destination unreachable)
    Code: 10 (Host administratively prohibited)
    Checksum: 0x9fa2 (correct)
    Internet Protocol, Src Addr: CPE-60-230-38-88.vic.bigpond.net.au 
(60.230.38.88), Dst Addr: CPE-60-230-2-86.vic.bigpond.net.au 
(60.230.2.86)
        Version: 4
        Header length: 20 bytes
        Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
            0000 00.. = Differentiated Services Codepoint: Default (0x00)
            .... ..0. = ECN-Capable Transport (ECT): 0
            .... ...0 = ECN-CE: 0
        Total Length: 64
        Identification: 0xc524 (50468)
        Flags: 0x04 (Don't Fragment)
            0... = Reserved bit: Not set
            .1.. = Don't fragment: Set
            ..0. = More fragments: Not set
        Fragment offset: 0
        Time to live: 45
        Protocol: TCP (0x06)
        Header checksum: 0xe619 (correct)
        Source: CPE-60-230-38-88.vic.bigpond.net.au (60.230.38.88)
        Destination: CPE-60-230-2-86.vic.bigpond.net.au (60.230.2.86)
    Transmission Control Protocol, Src Port: 3678 (3678), Dst Port: 
microsoft-ds (445), Seq: 3459739248, Ack: 0
        Source port: 3678 (3678)
        Destination port: microsoft-ds (445)
        Sequence number: 3459739248    (relative sequence number)
        Header length: 44 bytes
        Flags: 0x0002 (SYN)
            0... .... = Congestion Window Reduced (CWR): Not set
            .0.. .... = ECN-Echo: Not set
            ..0. .... = Urgent: Not set
            ...0 .... = Acknowledgment: Not set
            .... 0... = Push: Not set
            .... .0.. = Reset: Not set
            .... ..1. = Syn: Set
            .... ...0 = Fin: Not set
        Window size: 53760
        Checksum: 0x754c (correct)
        Options: (24 bytes)
            Maximum segment size: 1320 bytes
            NOP
            Window scale: 3 (multiply by 8)
            NOP
            NOP
            Time stamp: tsval 0, tsecr 0
            NOP
            NOP
            SACK permitted



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

More information about the plug mailing list