[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] [RaQ3] Kernel IP routing table HACKED?

Subject: Re: [cobalt-users] [RaQ3] Kernel IP routing table HACKED?
From: flash22@xxxxxxx
Date: Wed Jul 25 02:58:03 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

On Wed, 25 Jul 2001, enrique wrote:

> My RaQ3 was recently hacked by Dwarf. I was notified by a change to an
...
> 169.254.183.37 which seems to end up at blackhole.isi.edu.
> 
> Now, I am have little knowledge of linux and would like to ask you folks if
> I have a open relay hack. If so, can you tell me what I need to do to stop

It has nothing to do with relays , that's email :)

> this? I have rebooted the box, but this ip address must be hardcoded
> somewhere. Note that the xxx.xxx.xx.x is my ip address which I am not

It's part of your configuration scripts then....

> I've included a couple of commands which show info, but I am unable to
> decipher it. Thank you in advance for any assistance you can give!
> 
> [root@www admin]# /sbin/route
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags Metric Ref    Use
> Iface
> 169.254.183.37  *               255.255.255.255 UH    0      0        0 eth0
> xxx.xxx.xx.x    *               255.255.255.0   U     0      0        0 eth0
> 169.254.0.0     *               255.255.0.0     U     0      0        0 eth0
> default         xxx.xxx.xx.x    0.0.0.0         UG    0      0        0 eth0

It's telling you that that address is a gateway 
(hopefully) The 169.254.X.X IP address range is RESERVED for interlinks,
so it's possible it is 'supposed' to be there, it's also possible it's
not, you need to be asking your ISP what your gateway address is supposed
to be....

Note that this address will NOT route places on the internet...at least
not normally, but it WILL route on a local ethernet segment (eg to a
nearby machine)

Given you have a /16 netmask, i'd be suspiscous more than not ;)

> 
> [root@www admin]# /sbin/ifconfig
> eth0      Link encap:Ethernet  HWaddr 00:10:E0:01:28:89
>           inet addr:xxx.xxx.xx.x  Bcast:xxx.xxx.xx.x  Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:117588 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:117485 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:5232 txqueuelen:100
>           Interrupt:11 Base address:0x1000
> 
> eth0:0    Link encap:Ethernet  HWaddr 00:10:E0:01:28:89
>           inet addr:169.254.183.37  Bcast:169.254.255.255  Mask:255.255.0.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           Interrupt:11 Base address:0x1000
> 
> To get rid of this ip, should I do the following?
> 
> /sbin/route add -host 169.254.183.37 reject
> 
> Will this remove them for ever? Even after a reboot?

no, first, drop the interface , that will delete the routes,
but if it's there after reboot, it's in your machine's configuration or in
a startup script somewhere and will come back after reboot, routes and
interfaces are just stored in memory, they are setup at boot....

gsh

Follow-Ups:
- Re: [cobalt-users] [RaQ3] Kernel IP routing table HACKED?
  - From: enrique

References:
- [cobalt-users] [RaQ3] Kernel IP routing table HACKED?
  - From: enrique

Prev by Date: Re: [cobalt-users] Accessing MS Access DB
Next by Date: [cobalt-users] RE: [cobalt-users] Probleme avec ARKEIA , mail en français
Previous by thread: [cobalt-users] [RaQ3] Kernel IP routing table HACKED?
Next by thread: Re: [cobalt-users] [RaQ3] Kernel IP routing table HACKED?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index