attack on server from LAN

#1 (**permalink**) 05-07-2004

How can stop attack from LAN on my server.
I'm see in my ip_conntrack 49000 (768MB RAM) identical rules:

tcp 6 430626 ESTABLISHED src=192.168.2.90 dst=213.8.106.117 sport=165
dport=1008 [UNREPLIED] src=213.8.106.117 dst=192.168.2.90 sport=1008
dport=165 use=1
tcp 6 430619 ESTABLISHED src=192.168.2.155 dst=213.8.106.117 sport=686
dport=608 [UNREPLIED] src=213.8.106.117 dst=192.168.2.155 sport=608
dport=686 use=1
tcp 6 430604 ESTABLISHED src=192.168.2.62 dst=213.8.106.117 sport=652
dport=54 [UNREPLIED] src=213.8.106.117 dst=192.168.2.62 sport=54 dport=652
use=1
tcp 6 430596 ESTABLISHED src=192.168.2.119 dst=213.8.106.117 sport=850
dport=408 [UNREPLIED] src=213.8.106.117 dst=192.168.2.119 sport=408
dport=850 use=1
tcp 6 430586 ESTABLISHED src=192.168.2.242 dst=213.8.106.117 sport=334
dport=25 [UNREPLIED] src=213.8.106.117 dst=80.53.18.162 sport=25 dport=334
use=1

in my log I see more:

May 5 19:47:46 serv kernel: martian source 213.8.106.117 from 192.168.2.1,
on dev eth3
May 5 19:47:46 serv kernel: ll header:
00:e0:7d:a1:33:f5:00:30:4f:24:34:6d:08:00
--
May 5 19:48:11 serv kernel: martian source 213.8.106.117 from 192.168.2.0,
on dev eth3 May 5 19:48:11 serv kernel: ll
header:00:e0:7d:a1:33:f5:00:30:4f:24:34:6d:08:00

When attack my serwer internet has stoped.
Can I help me stop this attack ?

#2 (**permalink**) 05-10-2004

HooK wrote:
> How can stop attack from LAN on my server.
> I'm see in my ip_conntrack 49000 (768MB RAM) identical rules:
>
> tcp 6 430626 ESTABLISHED src=192.168.2.90 dst=213.8.106.117 sport=165
> dport=1008 [UNREPLIED] src=213.8.106.117 dst=192.168.2.90 sport=1008
> dport=165 use=1
> tcp 6 430619 ESTABLISHED src=192.168.2.155 dst=213.8.106.117 sport=686
> dport=608 [UNREPLIED] src=213.8.106.117 dst=192.168.2.155 sport=608
> dport=686 use=1
> tcp 6 430604 ESTABLISHED src=192.168.2.62 dst=213.8.106.117 sport=652
> dport=54 [UNREPLIED] src=213.8.106.117 dst=192.168.2.62 sport=54 dport=652
> use=1
> tcp 6 430596 ESTABLISHED src=192.168.2.119 dst=213.8.106.117 sport=850
> dport=408 [UNREPLIED] src=213.8.106.117 dst=192.168.2.119 sport=408
> dport=850 use=1
> tcp 6 430586 ESTABLISHED src=192.168.2.242 dst=213.8.106.117 sport=334
> dport=25 [UNREPLIED] src=213.8.106.117 dst=80.53.18.162 sport=25 dport=334
> use=1
>
> in my log I see more:
>
> May 5 19:47:46 serv kernel: martian source 213.8.106.117 from 192.168.2.1,
> on dev eth3
> May 5 19:47:46 serv kernel: ll header:
> 00:e0:7d:a1:33:f5:00:30:4f:24:34:6d:08:00
> --
> May 5 19:48:11 serv kernel: martian source 213.8.106.117 from 192.168.2.0,
> on dev eth3 May 5 19:48:11 serv kernel: ll
> header:00:e0:7d:a1:33:f5:00:30:4f:24:34:6d:08:00
>
> When attack my serwer internet has stoped.
> Can I help me stop this attack ?
>
>

If the header: part is the Ethernet header and your server is
having the MAC 00:e0:7d:a1:33:f5 at eth3, go look up the computer in
your LAN with MAC 00:30:4f:24:34:6d. If you're lucky and the
user has used the server also legitimately, you can find
the corresponding real IP address in the ARP cache (in UNIX-
like systems the command arp will tell).

HTH

Tauno Voipio
tauno voipio @ iki fi

#3 (**permalink**) 05-10-2004

If this is a M$ shop.

nbtstat -a 192.168.2.90 from a Windows PC cmd shell.

That should yield the machine name. That may also help.

As mentioned, once you have the MAC address, you maybe able to shut down the
offenders LAN connection.
Well, depending on if your network guys can locate it.

"Tauno Voipio" <tauno.voipio@iki.fi.NOSPAM.invalid> wrote in message
news:0nNnc.250$uJ2.245@read3.inet.fi...
> HooK wrote:
> > How can stop attack from LAN on my server.
> > I'm see in my ip_conntrack 49000 (768MB RAM) identical rules:
> >
> > tcp 6 430626 ESTABLISHED src=192.168.2.90 dst=213.8.106.117
sport=165
> > dport=1008 [UNREPLIED] src=213.8.106.117 dst=192.168.2.90 sport=1008
> > dport=165 use=1
> > tcp 6 430619 ESTABLISHED src=192.168.2.155 dst=213.8.106.117
sport=686
> > dport=608 [UNREPLIED] src=213.8.106.117 dst=192.168.2.155 sport=608
> > dport=686 use=1
> > tcp 6 430604 ESTABLISHED src=192.168.2.62 dst=213.8.106.117
sport=652
> > dport=54 [UNREPLIED] src=213.8.106.117 dst=192.168.2.62 sport=54
dport=652
> > use=1
> > tcp 6 430596 ESTABLISHED src=192.168.2.119 dst=213.8.106.117
sport=850
> > dport=408 [UNREPLIED] src=213.8.106.117 dst=192.168.2.119 sport=408
> > dport=850 use=1
> > tcp 6 430586 ESTABLISHED src=192.168.2.242 dst=213.8.106.117
sport=334
> > dport=25 [UNREPLIED] src=213.8.106.117 dst=80.53.18.162 sport=25
dport=334
> > use=1
> >
> > in my log I see more:
> >
> > May 5 19:47:46 serv kernel: martian source 213.8.106.117 from
192.168.2.1,
> > on dev eth3
> > May 5 19:47:46 serv kernel: ll header:
> > 00:e0:7d:a1:33:f5:00:30:4f:24:34:6d:08:00
> > --
> > May 5 19:48:11 serv kernel: martian source 213.8.106.117 from
192.168.2.0,
> > on dev eth3 May 5 19:48:11 serv kernel: ll
> > header:00:e0:7d:a1:33:f5:00:30:4f:24:34:6d:08:00
> >
> > When attack my serwer internet has stoped.
> > Can I help me stop this attack ?
> >
> >
>
> If the header: part is the Ethernet header and your server is
> having the MAC 00:e0:7d:a1:33:f5 at eth3, go look up the computer in
> your LAN with MAC 00:30:4f:24:34:6d. If you're lucky and the
> user has used the server also legitimately, you can find
> the corresponding real IP address in the ARP cache (in UNIX-
> like systems the command arp will tell).
>
> HTH
>
> Tauno Voipio
> tauno voipio @ iki fi
>

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode