# Am i Under a Attack??



## gary4gar (Oct 3, 2007)

I think my machine compromised, i have two reasons for it:-

my broadband speed have dipped around 512kpbs whereas it was around 1750kpbs
there always some activity , i mean my modem lights always keep blinking
further more my azureus slows down terrible to around 1kBps & even 500Bps, halts to *0 in yellow color*

i did netstat thats what i got


> Active Internet connections (w/o servers)
> Proto Recv-Q Send-Q Local Address           Foreign Address         State
> tcp        1      1 Digital-den.local:47031 72.5.124.61:www         LAST_ACK
> tcp        1      1 Digital-den.local:47030 72.5.124.61:www         LAST_ACK
> ...




further i searched Google for LAST_ACK state & it has associated with a DoS attack   .

i want to confirm?


----------



## zyberboy (Oct 3, 2007)

First use firefox to browse the net, enable the option: clear cookie wen i exit firefox
Install a firewall like "look n stop", its not free but u can use it for 30 days,firewall will block unwanted traffic due to any spywares


----------



## mehulved (Oct 3, 2007)

This log was taken when azureus was running or just after shutting down azureus?


----------



## praka123 (Oct 3, 2007)

*www.uwsg.indiana.edu/hypermail/linux/kernel/0004.1/0105.html
it is DoS.
it builds up a lot of connections hence slowing down.
change ur open port for azureus to some other.
also use lokkit or someother firewall.


----------



## mehulved (Oct 3, 2007)

*www.outpostfirewall.com/forum/showthread.php?t=187
More likely cause IMO is that too azureus is trying to have too many connections.


----------



## RCuber (Oct 3, 2007)

I think its LAST ACKnowledgement. I used azureus for more than a year but now shifted to uTorrent as azureus used to take some BW for even when not downloading/seeding. uTorrent doesnt have much of this problem.


----------



## praka123 (Oct 3, 2007)

^but this is something to do with DoS.it slows down connection by opening many events.


----------



## mediator (Oct 3, 2007)

@Gary : DoS attacks will hardly affect ur PC today. I have tried that even on a windows machine from 5-6 linux machines without any signs of disturbance on the windows user's face!! 

1. Install a tool called 'Bandwith Monitor" => "sudo apt-get install bwm-ng"
2. Goto init3 and do "ps aux >> it3.log"
3. Goto init5 and again do "ps aux >> it5.log"
4. Compare the 2 for any malicious scripts!!
5. Use 'bwm-ng' to see the bandwidth in both the inits

U can also see log files for any possible intrusions! Also if u r feeling too much paranoid, then simply use a sniffer!! Install and Fire up 'ethereal' as root and monitor ur interface e.g eth0 or wateva! U may also post its output here!

Sometimes ISPs keep on checking the systems that are alive on their network , do port scans and hence some activity is noted on ur machine.

On a more general note, check if ur ping is consistent, try "ping yahoo.com" for 1 minute and post the result here!

I hope that will give u some basic idea!!


----------



## gary4gar (Oct 3, 2007)

> 1. Install a tool called 'Bandwith Monitor" => "sudo apt-get install bwm-ng"
> 2. Goto init3 and do "ps aux >> it3.log"
> 3. Goto init5 and again do "ps aux >> it5.log"
> 4. Compare the 2 for any malicious scripts!!
> 5. Use 'bwm-ng' to see the bandwidth in both the inits



did the first step, did'nt get afterwards how to switch run levels??




> U can also see log files for any possible intrusions! Also if u r feeling too much paranoid, then simply use a sniffer!! Install and Fire up 'ethereal' as root and monitor ur interface e.g eth0 or wateva! U may also post its output here!



which log files needs to searched, also how to install sniffer, its not on repos 
[EDIT]
do you meant wireshark??, i installed it i think wireshark was formerly called ethereal, please correct me if i am wrong


> Sometimes ISPs keep on checking the systems that are alive on their network , do port scans and hence some activity is noted on ur machine.



Does This apply to BSNL?? 



> I hope that will give u some basic idea!!


i am still not clear if it a Dos attack or just some misconfiguration 



> On a more general note, check if ur ping is consistent, try "ping yahoo.com" for 1 minute and post the result here!





Ping results for yahoo.com

```
gaurish@Digital-den:~$ ping yahoo.com
PING yahoo.com (216.109.112.135) 56(84) bytes of data.
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=1 ttl=49 time=313 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=2 ttl=48 time=299 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=3 ttl=48 time=299 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=4 ttl=49 time=302 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=5 ttl=49 time=300 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=6 ttl=49 time=380 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=7 ttl=49 time=300 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=8 ttl=49 time=300 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=9 ttl=49 time=299 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=10 ttl=48 time=304 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=11 ttl=48 time=302 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=12 ttl=48 time=393 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=13 ttl=48 time=299 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=14 ttl=49 time=336 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=15 ttl=48 time=298 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=16 ttl=49 time=300 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=17 ttl=48 time=300 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=18 ttl=49 time=360 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=19 ttl=49 time=300 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=20 ttl=49 time=334 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=21 ttl=49 time=299 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=22 ttl=48 time=383 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=23 ttl=48 time=300 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=24 ttl=49 time=299 ms
64 bytes from w2.rc.vip.dcn.yahoo.com (216.109.112.135): icmp_seq=25 ttl=48 time=354 ms

--- yahoo.com ping statistics ---
25 packets transmitted, 25 received, 0% packet loss, time 24052ms
rtt min/avg/max/mdev = 298.921/318.649/393.028/30.247 ms
```



			
				mehulved said:
			
		

> This log was taken when azureus was running or just after shutting down azureus?


Azureus was not running at all, however Ktorrent was running in tray with all torrents stopped.



			
				praka123 said:
			
		

> *www.uwsg.indiana.edu/hypermail/linux/kernel/0004.1/0105.html
> it is DoS.
> it builds up a lot of connections hence slowing down.
> change ur open port for azureus to some other.
> also use lokkit or someother firewall.



Sorry to say its too technical for me to understand 
can you please translate it



			
				mehulved said:
			
		

> *www.outpostfirewall.com/forum/showthread.php?t=187
> More likely cause IMO is that too azureus is trying to have too many connections.


Well when i took this azureus was not running



			
				Charan said:
			
		

> I think its LAST ACKnowledgement. I used azureus for more than a year but now shifted to uTorrent as azureus used to take some BW for even when not downloading/seeding. uTorrent doesnt have much of this problem.


Its always preferable to run native application rather than enumerating a different os environment on Host os


----------



## RCuber (Oct 3, 2007)

gary4gar said:
			
		

> Its always preferable to run native application rather than enumerating a different os environment on Host os



Oops I didnt see this was posted in the Open Source section .. My bad


----------



## mediator (Oct 3, 2007)

@Gary :
To switch runlevel say to 3, execute "init 3" as root!
Yea ur ISP is BSNL. Yes, ethereal is wireshark now. Your ping seems to be OK!

So u may simply run wireshark now on relevant interface! It will yield everything!! ALso u may contact ur ISP. The problem can be from their end too! U must also check how much data transfers on idle state using "bwm-ng"!!


----------



## gary4gar (Oct 3, 2007)

mediator said:
			
		

> @Gary :
> To switch runlevel say to 3, execute "init 3" as root!
> Yea ur ISP is BSNL. Yes, ethereal is wireshark now. Your ping seems to be OK!
> 
> So u may simply run wireshark now on relevant interface! It will yield everything!! ALso u may contact ur ISP. The problem can be from their end too! U must also check how much data transfers on idle state using "bwm-ng"!!



Attached the log


----------



## gary4gar (Oct 3, 2007)

attaching wireshark capture file
capture time:4min

Grrr....
forum upload file limit sucks 
please take the pain to d/l it here
*www.MegaShare.com/284724


----------



## mediator (Oct 3, 2007)

Were u blogging, doing stuff on onlinehome-server.com etc while the wireshark was working?
There r so many entries! e.g

*198.65.131.97
*82.165.181.49
*66.150.96.119

Try taking the output when u r not working n post that O/P here. Also did u check out the 'bwm-ng' in both the inits?
Also check if

1. Firefox is set on automatic updates and extensions dlds!

2. What is bonobo server? 

gaurish   5125  0.0  0.3  23132  3012 ?        Ssl  12:50   0:00 /usr/lib/bonobo-activation/bonobo-activation-server --ac-activate --ior-output-fd=25
It says something bt activation??

3. There r so many processes going on! e.g

gaurish   5140  0.0  0.9  36372  9336 ?        Sl   12:50   0:00 /usr/lib/evolution/2.10/evolution-exchange-storage --oaf-activate-iid=OAFIID:GNOME_Evolution_Exchange_Connector_CalFactory:1.2 --oaf-ior-fd=18

In gnome, "Goto System > Administration > services" and disable the unwanted services first!! Also if u have wireless setup then ur lights will keep on blinking at regular intervals!

Please check these all out! Its probably some unwanted services and check ur speed both during day and night. Its common for the network to get slow during the day/evening!!


----------



## mehulved (Oct 3, 2007)

By Azureus I meant any torrent software. I mentioned azureus as you have a mention of it in your first post. 
Did you just pause your downloads then? Then the clients would give LAST_ACK to terminate the connection from what I get.
Also, use pastebins instead of megaupload and stuff.


----------



## praka123 (Oct 3, 2007)

bonobo server is part of gnome.


----------



## rocket357 (Oct 3, 2007)

mediator said:
			
		

> @Gary : DoS attacks will hardly affect ur PC today. I have tried that even on a windows machine from 5-6 linux machines without any signs of disturbance on the windows user's face!!


I think you've missed the point of a DoS or DDoS attack.  While it's certainly possible to flood a machine so much that it interferes with the machine's desktop, it typically requires gigabit LAN speeds to accomplish.  The point isn't to crash or slowdown the target, the point is to suck up the target's bandwidth so legitimate traffic can't get through.

EDIT - you can crash or slowdown the target given enough attacking machines in a DDoS attack, but a single DoS attack typically won't be able to do that.


----------



## mediator (Oct 3, 2007)

Thats what I said? DoS/DDoS attacks will hardly affect ur PC today! *www.smileyhut.com/confused/g.gif

If u r referring to 'D'DoS to that '5-6 linux systems' part of mine, then I meant the same.


----------



## rocket357 (Oct 4, 2007)

^^ Perhaps I misunderstood you.  I took your original statement "without any signs of disturbance on the windows user's face!!" to mean desktop interference.  Obviously (as I understand now) that's not what you meant.  I apologise...heh.

I was toying around with the idea earlier, and I decided I'd see what impact a DoS would have against my Windows box.  Now, before I say what happened, let me give some specs:  Windows box: dual core 3.0 GHz P4, 2 GB DDR667 RAM, gigabit ethernet.  Linux box:  single core 1.8 GHz Celeron, 768 MB DDR333 RAM, 10/100 ethernet.

I decided to flood the Windows box from nmap:  "nmap -P0 -A -T5 -p 1- --data-length 1450 <WinBox ip>".  The result was the ethernet controller in the box hitting around 6% capacity, no noticeable difference in the CPU usage...definitely not capable of a DoS attack 1v1...at that rate it'd take 15 machines (or more) to DoS the Windows box.  On this point, I agree with you fully.

Then I decided to make it interesting...I added "-f" to the nmap command above (fragment all packets), and suddenly the Windows machine jumped to 25% CPU usage even though the ethernet controller dropped to around 4% of it's capacity. It seems that a lesser machine (or at least a few lesser machines) *can* cause havoc for a more powerful system.  Given 4-5 machines like that, I'm sure I could peg the CPU on my Windows box and keep it there, causing noticeable drops in performance and potentially a crash.  (There's really no hope of me flooding the ethernet controller, since my poor 10/100 just doesn't have the power to flood the gigabit NIC in the Windows box).

I just installed scapy and I think I'm going to test this a bit more before I say definitively that it can or cannot be done...

Again, sorry for misunderstanding you, but realize that DoS and DDoS attacks aren't worthless just because machines have gotten faster =)


----------



## mediator (Oct 4, 2007)

Yea no problem! 
I agree DoS attacks aren't worthless. They r still very powerful. But not only machines have gotten powerful, but the defensive techniques have been improved also!


----------



## gary4gar (Oct 5, 2007)

mediator said:
			
		

> Were u blogging, doing stuff on onlinehome-server.com etc while the wireshark was working?
> There r so many entries! e.g
> 
> *198.65.131.97
> ...



i dunno know about this process, at time of capture only firefox & Ktorrent are running


----------



## mediator (Oct 5, 2007)

U need the capture without any firefox and ktorrent and u need to disable the unwanted services before that! Its possible that some unwanted service might be leeching ur bandwidth like the thunderbird email in my system that I have setup to dld the mails automatically after 1 minute!! If u want to check again then check from a knoppix CD also. If it gives slow speed then it probably ur ISP changing lines and doing some upgradation....Their favourite reply!!


----------



## gary4gar (Oct 7, 2007)

mediator said:
			
		

> U need the capture without any firefox and ktorrent and u need to disable the unwanted services before that! Its possible that some unwanted service might be leeching ur bandwidth like the thunderbird email in my system that I have setup to dld the mails automatically after 1 minute!! If u want to check again then check from a knoppix CD also. If it gives slow speed then it probably ur ISP changing lines and doing some upgradation....Their favourite reply!!


probelm solved for timebeing!
i don't get the LAST_ACK any more
also in few will full format and upgrade to gutsy

@mehul
the file was of binary type so no use of paste bin here


----------

