Am I being hacked/ DOS-ed, whatever? - Tilted Forum Project Discussion Community

Silvy · 04-14-2004, 12:36 PM

Probably not,

as I'm still able to post this, and it shouldn't take much to hang /overload my system and especially my connection.

But I am getting terrible connections to many servers, so I thought I'd check it out.

I used `tcpdump -ipp0` to read my internet traffic and I believe I keep getting 3 packet handshakes or something. For example:

Quote:

22:18:19.032975 81.134.108.43.20500 > my-ip.1439: P 130706573:130706575(2) ack 154129622 win 16295 (DF)
22:18:19.041633 81.134.108.43.20500 > my-ip.1439: P 2:147(145) ack 1 win 16295 (DF)
22:18:19.041908 my-ip.1439 > 81.134.108.43.20500: . ack 147 win 64089 (DF)

22:18:19.127558 81.134.108.43.20500 > my-ip.1439: P 147:149(2) ack 1 win 16295 (DF)
22:18:19.132455 81.134.108.43.20500 > my-ip.1439: P 149:262(113) ack 1 win 16295 (DF)
22:18:19.132716 my-ip.1439 > 81.134.108.43.20500: . ack 262 win 63974 (DF)

(grouped as I think it should be)

Now am I right in assuming that the connections are grouped as: 2 partial packets (i.e. containing something that should be considered as a single payload) sent from the remote machine, and a single response from my machine? Or is it the other way around (in which case I must now check for spyware stuff)

What activity is going on here? I see these packets come by sometimes 3 times every 2 seconds, sometimes 10/sec. I was trying to play a game online, but I think this is messing it up.

Anyone know how I should deal with this? The IP is assigned to a broadband ISP in the UK (I live in the Netherlands), and abuse mails don't give much response. Will simply blocking the remote address help?

Yakk · 04-14-2004, 12:49 PM

Poking at what port 1439 is legitimately used for:

Quote:

Service description(s):
Eicon X25|SNA Gateway

from
http://www.seifried.org/security/ports/1000/1439.html

Ring a bell?

From http://www.tcpdump.org/tcpdump_man.html

Quote:

The general format of a tcp protocol line is:
src > dst: flags data-seqno ack window urgent options

More:

Quote:

The
first time tcpdump sees a tcp `conversation', it prints
the sequence number from the packet. On subsequent pack_
ets of the conversation, the difference between the cur_
rent packet's sequence number and this initial sequence
number is printed. This means that sequence numbers after
the first can be interpreted as relative byte positions in
the conversation's data stream (with the first data byte
each direction being `1'). `-S' will override this fea_
ture, causing the original sequence numbers to be output.

so what is being seen above is one conversation looks like.

I now know enough to understand half of the TCP dump.

Quote:

src > dst: flags data-seqno ack window urgent options
22:18:19.032975 81.134.108.43.20500 > my-ip.1439: P 130706573:130706575(2) ack 154129622 win 16295 (DF)
// first time tcpdump saw the conversation, hence the huge sequence numbers. Only 2 bytes in this packet
22:18:19.041633 81.134.108.43.20500 > my-ip.1439: P 2:147(145) ack 1 win 16295 (DF)
// Another 145 bytes in this packet
22:18:19.041908 my-ip.1439 > 81.134.108.43.20500: . ack 147 win 64089 (DF)
// Your computer says "I've seen 147 bytes" (number is since tcpdump first started monitoring conversation).
// This packet contains no data, btw.

22:18:19.127558 81.134.108.43.20500 > my-ip.1439: P 147:149(2) ack 1 win 16295 (DF)
// Other computer sends another 2 bytes. Still hasn't heard your computer's "ack" yet.
22:18:19.132455 81.134.108.43.20500 > my-ip.1439: P 149:262(113) ack 1 win 16295 (DF)
// Other computer sends another 113 bytes. Still hasn't heard your computer's "ack" yet.
22:18:19.132716 my-ip.1439 > 81.134.108.43.20500: . ack 262 win 63974 (DF)
// Your computer says "I've heard 262 bytes (since tcpdump started listening into this conversation).

The dataflow is towards your computer in this small sample. I cannot tell you who opened the connection.

Silvy · 04-14-2004, 12:56 PM

Quote:

Originally posted by Yakk
[B] Poking at what port 1439 is legitimately used for:

I found references to Eicon as well, but other than ISDN cards, I have no idea what Eicon is, and I sure don't use ISDN or anything else except a COM21 cable modem and a realtek ethernet adapter.
So it doesn't really ring a bell in reference to my current situation.

And while I can figure some of the output out with the man page, I still am unable to interpret....

Edit: Now I see... so there is no real way to see how these communications relate?
Thanks a lot, I'll see if I can dig up more data to process, and try to interpret!

Yakk · 04-14-2004, 01:06 PM

22:18:19.032975 81.134.108.43.20500 > my-ip.1439: P 130706573:130706575(2) ack 154129622 win 16295 (DF)

130706573:130706575(2) are sequence numbers. (2) is the amount of data in this packet.

ack 154129622
this is the sequence number the remote computer knows the client computer knows about. (ie, he is waiting for any ack after this).

win 16295
He has 16 k of buffer space availiable for responses.

The "P" means a "push" packet. I don't know what that means.

After tcpdump sees a new conversation, all later sequence numbers are relative to the numbers in the start of the conversation. That is why all the other packets have such low sequence numbers: tcpdump is making it easier for humans to read.

22:18:19.041908 my-ip.1439 > 81.134.108.43.20500: . ack 147 win 64089 (DF)

ack 147 means "I have heard up to sequence number 147".

"." means no flags set.

Dunno what (DF) means.

my-ip.1439 > 81.134.108.43.20500
means this is a packet going from my-up port 1439 to 81.134.108.43 port 20500.

Silvy · 04-14-2004, 01:10 PM

Right! I see it.
I knew how the ports worked (that's why I found the Eicon reference earlier), but the sequence numbers and how to read the acks (as in "which packet does this ack belong to") baffled me.

I got a lot more packets dumped, I'll see if I can interpret them on my own for now...
Thanks a lot!!

Yakk · 04-14-2004, 01:16 PM

I think the S (for Sync) flag might be part of the start of a conversation.

Bah. I may have misinterprited the acks. You might only send "how many bytes incoming have I heard", so the ack 1 on the (other computer>your computer) packets simply means that the other computer hasn't heard anything from your computer since tcpdump started listening in...

Ayep, I'm now pretty sure this is true.

So, reedit:

Quote:

src > dst: flags data-seqno ack window urgent options
22:18:19.032975 81.134.108.43.20500 > my-ip.1439: P 130706573:130706575(2) ack 154129622 win 16295 (DF)
// first time tcpdump saw the conversation, hence the huge sequence numbers. Only 2 bytes in this packet

22:18:19.041633 81.134.108.43.20500 > my-ip.1439: P 2:147(145) ack 1 win 16295 (DF)
// Another 145 bytes in this packet. Remote computer hasn't heard anything from your computer since tcpdump started monitoring.

22:18:19.041908 my-ip.1439 > 81.134.108.43.20500: . ack 147 win 64089 (DF)
// Your computer says "I've seen 147 bytes" (number is since tcpdump first started monitoring conversation).
// This packet contains no data, btw.

22:18:19.127558 81.134.108.43.20500 > my-ip.1439: P 147:149(2) ack 1 win 16295 (DF)
// Other computer sends another 2 bytes. Remove computer still hasn't heard anything.

22:18:19.132455 81.134.108.43.20500 > my-ip.1439: P 149:262(113) ack 1 win 16295 (DF)
// Other computer sends another 113 bytes. Remote computer hasn't heard anything from your computer since tcpdump started monitoring.

22:18:19.132716 my-ip.1439 > 81.134.108.43.20500: . ack 262 win 63974 (DF)
// Your computer says "I've heard 262 bytes (since tcpdump started listening into this conversation).
// no data from your computer to remote computer sent in this packet

Sorry! Never used tcpdump before. =)

Silvy · 04-14-2004, 01:34 PM

Thanks a lot for your help!

The activity seems to have stopped now. Maybe it was a system trying to admin a remote system (which it mistakenly thought was at my IP)?

I didn't log anything to file (dumb, dumb, I know), so I'll check regularly to see wether it happens again.

Thanks a lot for your help! (and it was my first tcpdump too

)

04-14-2004, 01:06 PM	#4 (permalink)
Yakk Wehret Den Anfängen! Location: Ontario, Canada	22:18:19.032975 81.134.108.43.20500 > my-ip.1439: P 130706573:130706575(2) ack 154129622 win 16295 (DF) 130706573:130706575(2) are sequence numbers. (2) is the amount of data in this packet. ack 154129622 this is the sequence number the remote computer knows the client computer knows about. (ie, he is waiting for any ack after this). win 16295 He has 16 k of buffer space availiable for responses. The "P" means a "push" packet. I don't know what that means. After tcpdump sees a new conversation, all later sequence numbers are relative to the numbers in the start of the conversation. That is why all the other packets have such low sequence numbers: tcpdump is making it easier for humans to read. 22:18:19.041908 my-ip.1439 > 81.134.108.43.20500: . ack 147 win 64089 (DF) ack 147 means "I have heard up to sequence number 147". "." means no flags set. Dunno what (DF) means. my-ip.1439 > 81.134.108.43.20500 means this is a packet going from my-up port 1439 to 81.134.108.43 port 20500. __________________ Last edited by JHVH : 10-29-4004 BC at 09:00 PM. Reason: Time for a rest.

04-14-2004, 01:10 PM	#5 (permalink)
Silvy paranoid Location: The Netherlands	Right! I see it. I knew how the ports worked (that's why I found the Eicon reference earlier), but the sequence numbers and how to read the acks (as in "which packet does this ack belong to") baffled me. I got a lot more packets dumped, I'll see if I can interpret them on my own for now... Thanks a lot!! __________________ "Do not kill. Do not rape. Do not steal. These are principles which every man of every faith can embrace. " - Murphy MacManus (Boondock Saints)

04-14-2004, 01:34 PM	#7 (permalink)
Silvy paranoid Location: The Netherlands	Thanks a lot for your help! The activity seems to have stopped now. Maybe it was a system trying to admin a remote system (which it mistakenly thought was at my IP)? I didn't log anything to file (dumb, dumb, I know), so I'll check regularly to see wether it happens again. Thanks a lot for your help! (and it was my first tcpdump too ) __________________ "Do not kill. Do not rape. Do not steal. These are principles which every man of every faith can embrace. " - Murphy MacManus (Boondock Saints)