[clug] Re: linux Digest, Vol 31, Issue 25

Alex Satrapa grail at goldweb.com.au
Fri Jul 22 02:24:21 GMT 2005

On 22 Jul 2005, at 11:28, Chris wrote:

> Just as the way you pointed out, there were indeed, lots of http  
> requests,
> and this keeps happening until now. As far as I have gathered, the  
> system
> was somehow instructed to download some Perl files and put them in the
> /tmp folder.

You've been owned!

> And the server is still getting connection from the aforementioned
> addresses (e.g.,luzerklub.hu). Any ideas what else I need to do to
> complete drop all those annoying connections?

Move to a new IP address. Let the person who inherits your old one  
suffer the SYN storm.

Adding an iptables rule eg "iptables -I INPUT --source xx.xx.xx.xx -j  
DROP" will only save your machine the effort of responding to the  
SYNs. The incoming connections will keep happening until the remote  
end decides that it's not worth trying to own your machine anymore.

Having a firehol firewall up and running means nothing if you have  
the default configuration which allows all client activity, eg:

interface any world
    server ssh accept
    client all accept
    server all drop

This configuration means that anything is allowed to make outgoing  
connections. If you really must allow clients such as IRC, make sure  
you restrict them with "dst ..." parameters to allow them to only  
connect to trusted IRC servers.

You could, of course, try contacting the (legitimate/person who until  
now thought they were the) owner of the remote machine to ask them to  
stop that traffic.

Good luck!


More information about the linux mailing list