| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 39569 | 2003-11-10 23:49:00 | How do I find who's been leaching off my proxy? | Chilling_Silently (228) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 190787 | 2003-11-10 23:49:00 | I noticed my internet was trailing and yet no machines were in use.. The LAN light on my router was going hard out. I suspected Cyberchuck was using SSH or FTP, but alas, I ran top and it said nothing, but squid was using 6% cpu. I stopped it and it was fine, immediately my downloads were at 18KB/s!!! Next, I decided to check who'd been using me for mass surfing/downloads so I've made a backup of my access.log for squid and here's a bit more details. I'd like some help tracking down who's jumped on me? I've since blocked access to squid through the router, so nobody can do it again, but I'd still ike to know who's been riding on me? Here's some more details: bash-2.05b$ tail /usr/local/squid/var/logs/access.log 1068507305.119 26673 205.138.96.44 TCP_MISS/200 429 CONNECT 195.85.130.71:25 - DIRECT/195.85.130.71 - 1068507305.250 66646 205.138.96.44 TCP_MISS/200 348 CONNECT 66.218.86.254:25 - DIRECT/66.218.86.254 - 1068507305.263 64850 205.138.96.54 TCP_MISS/200 310 CONNECT 66.218.86.254:25 - DIRECT/66.218.86.254 - 1068507305.308 49920 66.159.16.34 TCP_MISS/200 671 CONNECT 65.54.166.230:25 - DIRECT/65.54.166.230 - 1068507305.390 64619 205.138.96.44 TCP_MISS/200 200 CONNECT 208.51.202.244:25 - DIRECT/208.51.202.244 - 1068507306.482 14342 205.138.96.44 TCP_MISS/200 348 CONNECT 66.218.86.254:25 - DIRECT/66.218.86.254 - 1068507306.996 30953 205.138.96.46 TCP_MISS/200 217 CONNECT 213.193.13.87:25 - DIRECT/213.193.13.87 - 1068507307.113 49732 66.159.16.34 TCP_MISS/200 694 CONNECT 211.43.197.77:25 - DIRECT/211.43.197.77 - 1068507307.254 52063 205.138.96.54 TCP_MISS/200 39 CONNECT 207.115.63.92:25 - DIRECT/207.115.63.92 - 1068507552.072 60918 192.168.0.2 TCP_MISS/200 430 GET pressf1.pcworld.co.nz - DIRECT/210.48.100.45 text/html bash-2.05b$ bash-2.05b$ ping 205.138.96.54 PING 205.138.96.54 (205.138.96.54) 56(84) bytes of data. 64 bytes from 205.138.96.54: icmp_seq=2 ttl=109 time=271 ms --- 205.138.96.54 ping statistics --- 3 packets transmitted, 1 received, 66% packet loss, time 2020ms rtt min/avg/max/mdev = 271.742/271.742/271.742/0.000 ms bash-2.05b$ ping 66.159.16.34 PING 66.159.16.34 (66.159.16.34) 56(84) bytes of data. --- 66.159.16.34 ping statistics --- 5 packets transmitted, 0 received, 100% packet loss, time 4037ms bash-2.05b$ bash-2.05b$ traceroute 205.138.96.54 traceroute to 205.138.96.54 (205.138.96.54), 30 hops max, 38 byte packets 1 * 192.168.0.1 (192.168.0.1) 43.126 ms 43.736 ms 2 202-49-181-126.adsl.ihug.co.nz (202.49.181.126) 40.008 ms 41.741 ms 42.144 ms 3 192.168.253.225 (192.168.253.225) 43.821 ms 43.956 ms 43.871 ms 4 192.168.254.42 (192.168.254.42) 48.142 ms * 44.887 ms 5 v-93-tig-nz-akl-core-1.ihug.net (203.109.156.145) 45.864 ms 45.885 ms 43.973 ms 6 * 203-109-156-98.ihug.net (203.109.156.98) 45.631 ms 45.711 ms 7 g0-1-0-1032.icore2.tspn.telstraclear.net (203.98.23.113) 45.937 ms * 44.513 ms 8 ge0-0-0.nzsx-core1.akl.telstraclear.net (203.98.4.3) 46.102 ms 45.770 ms 45.985 ms 9 i-4-0-0.akl-core02.net.reach.com (202.84.219.82) 45.965 ms 45.875 ms 45.983 ms 10 202.84.219.109 (202.84.219.109) 171.982 ms 171.971 ms 171.963 ms 11 i-3-1.wil03.net.reach.com (202.84.251.182) 172.056 ms 171.940 ms 173.977 ms 12 sl-gw28-ana-10-0.sprintlink.net (144.223.58.221) 202.082 ms 201.882 ms 205.243 ms 13 sl-bb24-ana-5-0.sprintlink.net (144.232.1.49) 202.868 ms 205.891 ms 202.052 ms 14 sl-st21-la-14-0.sprintlink.net (144.232.20.126) 203.970 ms 204.950 ms 204.030 ms 15 bpr2-so-3-0-0.LosAngelesEquinix.cw.net (208.174.196.73) 202.053 ms 203.943 ms 203.900 ms 16 208.172.35.49 (208.172.35.49) 202.135 ms * 204.950 ms 17 208.173.57.61 (208.173.57.61) 202.044 ms * 202.769 ms 18 dcr2-ae2-0.LosAngeles.cw.net (208.172.47.65) 202.044 ms 203.930 ms 204.026 ms 19 dcr1-loopback.Chicago.cw.net (208.172.2.99) 250.048 ms 252.862 ms 253.192 ms 20 bcr2-so-0-0-0.Toronto.cw.net (208.175.10.106) 276.041 ms 275.906 ms 274.087 ms 21 iar1-so-1-3-0.Toronto.cw.net (208.175.169.142) 274.251 ms 273.944 ms 274.076 ms 22 205.138.96.54 (205.138.96.54) 273.258 ms 271.922 ms 272.118 ms bash-2.05b$ root@AMD1700:~# cp /usr/local/squid/var/logs/access.log /root/ How do I get in contact with this persons ISP or whatever? Im not annoyed or anything, but I'd just like to know why I've got Joe Bloggs or whoever from toronto using my internet connection?? What should I do about it too? Chill. |
Chilling_Silently (228) | ||
| 190788 | 2003-11-11 00:19:00 | I think its a spammer using you as a relay because the out bound connections are all port 25 (SMTP). I'm not sure why it was showing up in the squid logs. I think you need to do a security check on you system, and shutdown or firewall all unneeded services. "netstat -l" will show you all listening services. |
bmason (508) | ||
| 190789 | 2003-11-11 00:32:00 | > I suspected Cyberchuck was using SSH or FTP, but alas, I ran top and it said > nothing, but squid was using 6% cpu. What ever happened to don't shoot the Chucky? I mean really.. Although I did get hold of a few good files earlier last night thanks :p.. I use Squid Graph and Squid log for checking my files - there's also a few good programs for doing this at www.squid-cache.org I'd be more worried about the Ports of the IP's that were getting connection - 25 (which as we all know is SMTP).. The reverse DNS for some of those IP's returns SMTP mailing servers which would lead me personally to believe you were acting as a proxy for someone with a lot of mail to send. (Oh yeah, by the way - a quick reverse DNS Proggy for Linux is 'host' - eg: $host 210.48.100.45 - this just saves on traceroute :D) I would have no idea what you could effectively do about it - it'd be like not securing a mail server and having it used as a spam relay - at the end of the day there's little that can be done except securing it down. So, I suppose here are some options: 1 - enable squid access to your LAN only - don't allow it reverse access through the firewall/router/etc. 2 - Authentication with Squid (users are required to enter a username/pwd before being allowed access CyberChuck |
cyberchuck (173) | ||
| 190790 | 2003-11-11 00:33:00 | What do you do about it? You don't connect to the Internet without having only the ports which you want to have open actually open to the outside world. That's what firewalls do. That's what access lists in various servers do. :_| If the access is there, people will find it. Then they'll use it. :D There's a very good firewall --- the Ultimate Firewall. (It involved using a pair of cutters ... ;-)). Have a look at this site (http://www.ranum.com/). You might have to search a bit for the article, because he changed the site since google indexed it (and I haven't got my piece of paper with me giving the exact place). But there's lot's of good stuff there. |
Graham L (2) | ||
| 190791 | 2003-11-11 00:51:00 | Set up your proxy/firewall/system properly . whois will tell what you're wanting . $ whois 205 . 138 . 96 . 44 OrgName: Cable & Wireless OrgID: CWUS Address: 3300 Regency Pkwy City: Cary StateProv: NC PostalCode: 27511 Country: US NetRange: 205 . 138 . 0 . 0 - 205 . 140 . 255 . 255 CIDR: 205 . 138 . 0 . 0/15, 205 . 140 . 0 . 0/16 NetName: CW-03BLK NetHandle: NET-205-138-0-0-1 Parent: NET-205-0-0-0-0 NetType: Direct Allocation NameServer: NS . CW . NET NameServer: NS2 . CW . NET NameServer: NS3 . CW . NET NameServer: NS4 . CW . NET NameServer: NS5 . CW . NET Comment: RegDate: 1995-02-15 Updated: 2002-10-23 TechHandle: IA3-ORG-ARIN TechName: Cable & Wireless US TechPhone: +1-800-977-4662 TechEmail: ipadmin@clp . cw . net OrgAbuseHandle: SPAMC-ARIN OrgAbuseName: SPAM COMPLAINTS OrgAbusePhone: +1-800-977-4662 OrgAbuseEmail: abuse@cw . net OrgNOCHandle: NOC99-ARIN OrgNOCName: Network Operations Center OrgNOCPhone: +1-800-977-4662 OrgNOCEmail: trouble@cw . net OrgTechHandle: UIAA-ARIN OrgTechName: US IP Address Administration OrgTechPhone: +1-800-977-4662 OrgTechEmail: ipadmin@clp . cw . net OrgTechHandle: GIAA-ARIN OrgTechName: Global IP Address Administration OrgTechPhone: +1-919-465-4096 OrgTechEmail: ip@gnoc . cw . net # ARIN WHOIS database, last updated 2003-11-09 19:15 # Enter ? for additional hints on searching ARIN's WHOIS database . |
-=JM=- (16) | ||
| 190792 | 2003-11-11 01:40:00 | > I suspected Cyberchuck was using SSH or FTP I was also using your proxy & FTP, the only day (the day that powa said about the Jet start speed boast) (but my IP address(202.89.63.***) is not on their :D so it was not me). |
stu140103 (137) | ||
| 190793 | 2003-11-12 02:22:00 | > > What should I do about it too? > What a dumbass! How about securing your network! :-) |
BIFF (1) | ||
| 190794 | 2003-11-12 03:28:00 | I wouldn't call Chilling_silently a dumbass, he probably is twice as smart as. Remember the rules???? |
ilikelinux (1418) | ||
| 190795 | 2003-11-12 03:35:00 | Chilling_Silently is asking a legitimate question to see what ideas people have to help him. There's no need to hurl abuse at people. | somebody (208) | ||
| 190796 | 2003-11-12 04:53:00 | BIFF> I had actually opened it up so I could test if my setup was 100% working... Show me your proxy buddy! |
Chilling_Silently (228) | ||
| 1 2 3 | |||||