Missing IP?

[J.L.Francois]

It seems like on Sat, Jul 08, 2000 at 04:48:57PM -0700, David Demland scribbled:
Orig Msg> Thank you. Are these the types of things I should watch for with my system?
Orig Msg> I have come home the last couple of nights to find my message log
Orig Msg> overflowing and the system acting very sluggish. I have rename the log files
Orig Msg> and had to reboot the system to get it to work normally. These probes are
Orig Msg> the only things I have seen in the log files. Is there any thing else I
Orig Msg> should be looking for?
Orig Msg> 
Orig Msg> David

If the probes are bad enuff to be cauusing a system slowdown
then filter them at your router or drop all connections
from those IPs.

Once that is done, take a look just in case there is
already a compromise.
Start at CERT and look at the current advisories.

Look in /ver/named or /etc/bind for any "dot" files that do not
belong.
The same for /tmp.
Also look for the classic "..." directories that crackers
ise to hide files in.

Type "lsof" and "netstat -a" and see if something is running that shouldn't be
on any ports. 
A netstat will also show you if you are being used as an IRC reflector.
If a rootkit is installed these will have odd output as an indicator something
isn't quite right.

Look at /etc/passwd and /etc/shadow for any accounts with
UIS/GID 0 that have no passwords.

Usually when you start getting lots of activity like this it is
because the box may be owned and the cracker is bragging on
IRC. Other crackers may be examining the box to take it from
the cracker that owned it so they can brag about doing that.

It may be nothing but better safe than sorry.

Good Luck.

JLF Sends...