[clug] Re: linux Digest, Vol 31, Issue 25
Alex Satrapa
grail at goldweb.com.au
Fri Jul 22 02:24:21 GMT 2005
On 22 Jul 2005, at 11:28, Chris wrote:
> Just as the way you pointed out, there were indeed, lots of http
> requests,
> and this keeps happening until now. As far as I have gathered, the
> system
> was somehow instructed to download some Perl files and put them in the
> /tmp folder.
You've been owned!
> And the server is still getting connection from the aforementioned
> addresses (e.g.,luzerklub.hu). Any ideas what else I need to do to
> complete drop all those annoying connections?
Move to a new IP address. Let the person who inherits your old one
suffer the SYN storm.
Adding an iptables rule eg "iptables -I INPUT --source xx.xx.xx.xx -j
DROP" will only save your machine the effort of responding to the
SYNs. The incoming connections will keep happening until the remote
end decides that it's not worth trying to own your machine anymore.
Having a firehol firewall up and running means nothing if you have
the default configuration which allows all client activity, eg:
interface any world
server ssh accept
client all accept
server all drop
This configuration means that anything is allowed to make outgoing
connections. If you really must allow clients such as IRC, make sure
you restrict them with "dst ..." parameters to allow them to only
connect to trusted IRC servers.
You could, of course, try contacting the (legitimate/person who until
now thought they were the) owner of the remote machine to ask them to
stop that traffic.
Good luck!
Alex
More information about the linux
mailing list