LinuxSir.cn,穿越时空的Linuxsir!

 找回密码
 注册
搜索
热搜: shell linux mysql
查看: 1742|回复: 1

我这种症状是不是被入侵了?

[复制链接]
发表于 2007-11-20 13:24:06 | 显示全部楼层 |阅读模式
大家好,我用的是openSuSe10.3,昨天装了个电驴后,就出现下面的情况:

1.我没有启动任何用到网络的程序,猫的灯不停的闪,用tcpdump抓包后,总和那几个IP地址有关,我没有保留那个tcpdump备案,遗憾。
2.开机后,并没有连接拨号(我用的是rp-pppoe),系统不停的有数据包发出和接受,这个tcpdump是刚抓的:

linux-6oa3:/home/myt # tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
13:05:05.231954 PPPoE  [ses 0x2ea1] IP 219.145.113.175.jaleosnd > 219.145.48.224.netbios-ssn: S 3925488209:3925488209(0) win 64800 <mss 1440,nop,nop,sackOK>
13:05:08.176237 PPPoE  [ses 0x2ea1] IP 219.145.113.175.jaleosnd > 219.145.48.224.netbios-ssn: S 3925488209:3925488209(0) win 64800 <mss 1440,nop,nop,sackOK>
13:05:09.952353 PPPoE  [ses 0x2ea1] IP 72.64.57.211 > 219.145.48.224: ICMP echo request, id 50381, seq 4202, length 72
13:05:11.358409 PPPoE  [ses 0x33b2] IP 72.64.57.211 > 219.145.49.37: ICMP echo request, id 50381, seq 21866, length 72
13:05:11.918483 PPPoE  [ses 0x2ea1] IP 71.98.49.161 > 219.145.48.224: ICMP echo request, id 50957, seq 38494, length 72
13:05:18.356445 PPPoE  [ses 0x408b] IP 72.64.57.211 > 219.145.50.202: ICMP echo request, id 50381, seq 63595, length 72
13:05:20.002585 PPPoE  [ses 0x408b] IP 71.98.49.161 > 219.145.50.202: ICMP echo request, id 50957, seq 32352, length 72
13:05:21.448906 IP 169.254.173.168.mdns > 224.0.0.251.mdns: 0 SRV (QM)? _domain._udp.local. (36)
13:05:21.552879 IP 169.254.173.168.mdns > 224.0.0.251.mdns: 0 PTR (QM)? 168.173.254.169.in-addr.arpa. (46)
13:05:22.036773 PPPoE  [ses 0x11f8] IP 72.64.57.211 > 219.145.51.205: ICMP echo request, id 50381, seq 64108, length 72
13:05:22.552913 IP 169.254.173.168.mdns > 224.0.0.251.mdns: 0 PTR (QM)? 168.173.254.169.in-addr.arpa. (46)
13:05:23.226818 PPPoE  [ses 0x11f8] IP 71.98.49.161 > 219.145.51.205: ICMP echo request, id 50957, seq 32865, length 72
13:05:24.561102 IP 169.254.173.168.mdns > 224.0.0.251.mdns: 0 PTR (QM)? 168.173.254.169.in-addr.arpa. (46)
13:05:27.704886 PPPoE  [ses 0x408b] IP 219.145.140.106.pearldoc-xact > 219.145.50.202.ssc-agent: S 416412737:416412737(0) win 65535 <mss 1440,nop,nop,sackOK>
13:05:28.196713 PPPoE  [ses 0x408b] LCP, Echo-Request (0x09), id 52, length 10
13:05:28.565395 IP 169.254.173.168.mdns > 224.0.0.251.mdns: 0 PTR (QM)? 168.173.254.169.in-addr.arpa. (46)
13:05:40.991413 PPPoE  [ses 0x2ea1] IP 220.174.114.240.pslserver > 219.145.48.224.spw-dialer: S 2833917410:2833917410(0) win 65535 <mss 1452,nop,wscale 2,nop,nop,sackOK>
13:05:41.227244 PPPoE  [ses 0x2ea1] IP 220.174.114.240.pctrader > 219.145.48.224.spw-dialer: UDP, length 14
13:05:43.883408 PPPoE  [ses 0x2ea1] IP 220.174.114.240.pslserver > 219.145.48.224.spw-dialer: S 2833917410:2833917410(0) win 65535 <mss 1452,nop,wscale 2,nop,nop,sackOK>
13:05:45.099290 PPPoE  [ses 0x2ea1] IP 220.174.114.240.pctrader > 219.145.48.224.spw-dialer: UDP, length 14
13:05:46.185432 PPPoE  [ses 0x2ea1] LCP, Echo-Request (0x09), id 96, length 10
13:05:48.037470 PPPoE  [ses 0x2ea1] IP 220.174.114.240.pctrader > 219.145.48.224.spw-dialer: UDP, length 14
13:05:49.925464 PPPoE  [ses 0x2ea1] IP 220.174.114.240.pslserver > 219.145.48.224.spw-dialer: S 2833917410:2833917410(0) win 65535 <mss 1452,nop,wscale 2,nop,nop,sackOK>
13:05:51.741677 PPPoE  [ses 0x2ea1] IP 220.174.114.240.pctrader > 219.145.48.224.spw-dialer: UDP, length 14
13:05:58.485930 PPPoE  [ses 0x2ea1] IP 124.111.88.146 > 219.145.48.224: ICMP echo request, id 512, seq 44584, length 72
13:06:01.485896 PPPoE  [ses 0x33b2] IP 124.111.88.146 > 219.145.49.37: ICMP echo request, id 512, seq 62248, length 72
13:06:09.472246 PPPoE  [ses 0x2a2] IP 124.111.88.146 > 219.145.50.162: ICMP echo request, id 512, seq 28458, length 72
13:06:09.984070 PPPoE  [ses 0x408b] IP 124.111.88.146 > 219.145.50.202: ICMP echo request, id 512, seq 38442, length 72
13:06:16.166280 PPPoE  [ses 0x2a2] LCP, Echo-Request (0x09), id 29, length 10
13:06:25.449014 IP 169.254.173.168.mdns > 224.0.0.251.mdns: 0 SRV (QM)? _domain._udp.local. (36)
13:07:13.130380 PPPoE  [ses 0x33b2] LCP, Echo-Request (0x09), id 92, length 10
13:07:26.500640 PPPoE  [ses 0x2a2] IP 219.145.113.175.adapt-sna > 219.145.50.162.netbios-ssn: S 4271630941:4271630941(0) win 64800 <mss 1440,nop,nop,sackOK>
13:07:29.484808 PPPoE  [ses 0x2a2] IP 219.145.113.175.adapt-sna > 219.145.50.162.netbios-ssn: S 4271630941:4271630941(0) win 64800 <mss 1440,nop,nop,sackOK>
13:07:43.037202 PPPoE  [ses 0x2a2] IP 76.216.132.149 > 219.145.50.162: ICMP echo request, id 512, seq 32466, length 72
13:07:43.465198 PPPoE  [ses 0x408b] IP 76.216.132.149 > 219.145.50.202: ICMP echo request, id 512, seq 42450, length 72
13:07:50.107472 PPPoE  [ses 0x3] LCP, Echo-Request (0x09), id 33, length 10
13:07:55.603547 PPPoE  [ses 0x2a2] IP 219.145.183.5.rfx-lm > 219.145.50.162.epmap: S 2720987058:2720987058(0) win 64800 <mss 1440,nop,nop,sackOK>
13:07:58.665693 PPPoE  [ses 0x2a2] IP 219.145.183.5.rfx-lm > 219.145.50.162.epmap: S 2720987058:2720987058(0) win 64800 <mss 1440,nop,nop,sackOK>
13:08:27.084574 PPPoE  [ses 0x408b] LCP, Echo-Request (0x09), id 53, length 10
13:08:33.448868 IP 169.254.173.168.mdns > 224.0.0.251.mdns: 0 SRV (QM)? _domain._udp.local. (36)


希望各位大侠帮我看看,是不是有中毒的征兆?

此外,还有最后一个问题,能不能给我将一下下面几个数据包各个字段的意思,不用全部,调几个就行了,在下感激不尽!tcpdump能不能像Win下的sniffer一样,保留完成的数据报供用户查看?
谢谢!


linux-6oa3:/home/myt # tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
13:17:41.723902 PPPoE  [ses 0x8dc] IP 203.187.178.3.18026 > 219.145.49.19.cifs: UDP, length 77
13:17:43.687648 PPPoE  [ses 0x8dc] IP 60.218.165.44.50839 > 219.145.49.19.cifs: UDP, length 77
13:17:54.147857 PPPoE  [ses 0x8dc] IP 221.5.227.64.ciphire-data > 219.145.49.19.cifs: UDP, length 77
13:17:54.810948 PPPoE  [ses 0x33e4] LCP, Echo-Request (0x09), id 26, length 10
13:17:54.829872 PPPoE  [ses 0x33e4] LCP, Echo-Reply (0x0a), id 26, length 10
13:18:03.724463 PPPoE  [ses 0x33e4] LCP, Echo-Request (0x09), id 2, length 10
13:18:03.724791 PPPoE  [ses 0x33e4] LCP, Echo-Reply (0x0a), id 2, length 10
13:18:14.816747 PPPoE  [ses 0x33e4] LCP, Echo-Request (0x09), id 27, length 10
13:18:14.834560 PPPoE  [ses 0x33e4] LCP, Echo-Reply (0x0a), id 27, length 10
13:18:15.716686 PPPoE  [ses 0x2a2] LCP, Echo-Request (0x09), id 33, length 10
13:18:16.168909 PPPoE  [ses 0x8dc] IP 203.187.178.3.18026 > 219.145.49.19.cifs: UDP, length 77
13:18:22.714957 PPPoE  [ses 0x8dc] IP 60.218.165.44.50839 > 219.145.49.19.cifs: UDP, length 77
13:18:34.017413 PPPoE  [ses 0x8dc] IP 221.5.227.64.ciphire-data > 219.145.49.19.cifs: UDP, length 77
13:18:34.822474 PPPoE  [ses 0x33e4] LCP, Echo-Request (0x09), id 28, length 10
13:18:34.841195 PPPoE  [ses 0x33e4] LCP, Echo-Reply (0x0a), id 28, length 10

15 packets captured
15 packets received by filter
0 packets dropped by kernel
linux-6oa3:/home/myt #
发表于 2007-12-8 23:09:24 | 显示全部楼层
都是些PPPoE的帧,那个通常是使用宽带连接的时候产生的,而且一直在用ICMP ECHO查询几个IP地址的可达性,而且有很多是已经有Reply,而且从几互相ping的地址上看,应该是要使用路由转发的,很有可能你开机的时候就已经自动连接上了网络,中毒的可能性还是有的。
我对Linux系统还不怎么熟悉(也许Linux的自动更新系统可以自动让你连接网络或是某些软件),我只是单纯的从报文上面的内容发表下自己的观点,可能有些错误。小弟也是菜鸟,随便瞎蒙。
回复 支持 反对

使用道具 举报

您需要登录后才可以回帖 登录 | 注册

本版积分规则

快速回复 返回顶部 返回列表