redhat 9 machine pings out every 10 and 26 seconds

I have a redhat 9 machine behind a seperate hardware firewall. The redhat 9
machine is pinging a single address on the internet (flintstone.astro.rug.nl)
constantly - it will wait 10 seconds between ping 1 and ping 2, then 26 seconds
between ping 2 and 3, then 10 seconds again.... etc.

Is there any good awy to find out which process on the machine is doing this
pinging? I've had a good look at netstat -a etc and can't see anything that
looks relevant.

Are there any good scripts for linux that will look for suspicious items in the
environment (and tell me if the maachine has been exploited)?

thanks
alex

Alex Hunsley wrote:

> I have a redhat 9 machine behind a seperate hardware firewall. The redhat
> 9 machine is pinging a single address on the internet
> (flintstone.astro.rug.nl) constantly - it will wait 10 seconds between
> ping 1 and ping 2, then 26 seconds between ping 2 and 3, then 10 seconds
> again.... etc.
>
> Is there any good awy to find out which process on the machine is doing
> this pinging? I've had a good look at netstat -a etc and can't see
> anything that looks relevant.
>
> Are there any good scripts for linux that will look for suspicious items
> in the environment (and tell me if the maachine has been exploited)?
>
> thanks
> alex

Is it fully updated? There have been some kernel vulnerabilities that have
been fixed since then.

--
BOFH excuse #103:

operators on strike due to broken coffee machine

Alex Hunsley <lard@tardis.ed.ac.molar.uk> wrote in message news:<10i6p93q1j7am10@corp.supernews.com>...

> Is there any good awy to find out which process on the machine is doing this
> pinging? I've had a good look at netstat -a etc and can't see anything that
> looks relevant.

ps aux should list the processes running.
If you got a heap of processes just grep for ping :)

Cheers!

/svek

Alex Hunsley <lard@tardis.ed.ac.molar.uk> wrote in message news:<10i6p93q1j7am10@corp.supernews.com>...
> I have a redhat 9 machine behind a seperate hardware firewall. The redhat 9
> machine is pinging a single address on the internet (flintstone.astro.rug.nl)
> constantly - it will wait 10 seconds between ping 1 and ping 2, then 26 seconds
> between ping 2 and 3, then 10 seconds again.... etc.
>
> Is there any good awy to find out which process on the machine is doing this
> pinging? I've had a good look at netstat -a etc and can't see anything that
> looks relevant.
>
> Are there any good scripts for linux that will look for suspicious items in the
> environment (and tell me if the maachine has been exploited)?
>
> thanks
> alex

Have you monitored the process list? Booted without internet
connection? Sniffed the wire? Confirmed that running processes are
the ones you expect? In other words, precisely what have you tried?

Especially if no process _seems_ out of the ordinary, you may want to
try this:
http://www.chkrootkit.org/

BTW, from OpenRBL, flintstone.astro.rug.nl resolves to:
*Lookup 129.125.6.242 (flintstone.astro.rug.nl) in 20+10 Zones
*AS: 129.125.0.0/16 AS1103 SURFnet BV Utrecht
*Net 129.125/16 RUGNET Groningen, Groningen @rc.rug.nl
*Results: Negative=30, Positive=0 (2004-08-19 20:50:35 UTC)

[pbrain]$ ping -c4 129.125.6.242
PING 129.125.6.242 (129.125.6.242) from my.comp.at.home : 56(84) bytes
of data.
--- 129.125.6.242 ping statistics ---
4 packets transmitted, 0 received, 100% loss, time 3018ms

[pbrain]$ /usr/sbin/traceroute 129.125.6.242
traceroute to 129.125.6.242 (129.125.6.242), 30 hops max, 38 byte
packets
1 10.1.48.1 (10.1.48.1) 8.541 ms 6.777 ms 7.560 ms
2 10.100.3.2 (10.100.3.2) 7.873 ms 7.271 ms 7.848 ms
3 10.100.3.17 (10.100.3.17) 66.021 ms 65.608 ms 70.394 ms
4 500.serial2-6.gw7.dfw7.alter.net (157.130.206.241) 67.726 ms
67.525 ms 71
5 0.so-5-2-0.cl2.dfw13.alter.net (152.63.99.254) 68.558 ms 69.296
ms 67.047
6 0.so-3-0-0.xl2.dfw9.alter.net (152.63.103.221) 67.306 ms 71.248
ms 65.879
7 pos7-0.br2.dfw9.alter.net (152.63.99.213) 68.024 ms 68.860 ms
107.460 ms
8 208.50.134.17 (208.50.134.17) 69.819 ms 73.824 ms 68.977 ms
9 so1-0-0-2488m.ar1.ams1.gblx.net (67.17.65.242) 188.951 ms
184.792 ms 183.
10 gigasurf-amsterdam.ge-2-1-0.ar1.ams1.gblx.net (208.49.125.50)
185.156 ms
su 06) 182.948 ms 181.750 ms
11 p11-0.cr1.amsterdam1.surf.net (145.145.166.33) 199.614 ms
185.439 ms 184.
12 po1-0.cr2.amsterdam1.surf.net (145.145.160.2) 184.782 ms 185.246
ms 181.8
13 po0-0.ar5.groningen1.surf.net (145.145.163.18) 189.597 ms
191.982 ms 188.
14 rug-router.customer.surf.net (145.145.2.2) 198.017 ms 189.466 ms
186.550
15 * * *
hits the wall and never picks up again -- seems following net/segment
likely blocking/dropping the packets.

How did you happen to notice this occurring in the first place?

prg
email above disabled

Alex Hunsley (lard@tardis.ed.ac.molar.uk) wrote:
: Is there any good awy to find out which process on the machine is doing this
: pinging? I've had a good look at netstat -a etc and can't see anything that
: looks relevant.

If your computer is slow enough, "top" may bring the offending procese to
the top of the list during the ping attempt. I found spyware on my Windows
box because it was using 5-10 seconds of CPU time every 60 seconds trying
to get out (blocked by zone alarm). The computer in question is a
first-generation pentium, however. I got suspicious when the quake demo
would run "okay", then get jumpy at predictable intervals.

Regards,

James Phillips