Wondering if anyone else has seen anything like this...

This morning I was reading some Slashdot postings, and checking out various links posted. From one of the links I followed one of the links there...then the browser closed. I didn't think too much of it at first (thought it was just some really bad HTML code, but not evil!)

So I shutdown the system and went downstairs to make breakfast for my daughter and a pot of coffee for the wife (I stop for espresso every morning on the way to work ;)) and when I went upstairs again I heard the hard drive on my Smoothwall box running like mad.

I turned on the monitor to see why it was going crazy and there was stuff scrolling by quickly. It looked like the same (very long) line repeated over and over and over. Looked like output from IPtables, but didn't bother to look at it very much. I also saw that the DSL modem was going nuts...OK, this wasn't normal...

I killed the Smoothwall and rebooted...to a "LI 10 10 10 10 10 10 10"...great, LILO was toast...reboot again and get the wonderful
"Operating System not found
replace boot disk and press any key to try again"

Wonderful...and the DSL was still going like I was downloading Red Hat CDs.

I plan on reloading Smoothwall tonight when I get home, no big deal...it loads fast and is easy to setup.

So...anyone else see/hear of anything like this? It was almost like that link started running an install over the current OS...I just feel lucky that I had the Smoothwall box in the way of my workstation :eek:

Ouch! Thanks for not posting the URL. I've been finding that using shareware (on my Windows box) that comes bundled with spyware has some pretty nasty results too. At one point, it was poping up ad urls and one of the pages actually installed a program called ClockSync without my knowledge. THe fact that a simple URL can do this is really scary.

The more I think about it, the more I want to know what happened...

I'm going to throw knoppix at it when I get home and see what's left of the drive. There has to be some hints as to what happened, that's just to weird.

If anyone has any ideas of what I'm looking for, let me know. So far I'm just going to look at the file structure and (if possible) the firewall logs.

If you find anything, the people running Shorewall will probably want to know. Especially if it was a problem with the firewall itself (some security hole somewhere).

That is strange, that a web request would be able to get your firewall to start overwriting the hard drive device, though...

Looks like the files are ok, but the mbr was a bit beaten...I was able to boot it with knoppix and dig around, even tried to re-install LILO with no success.

Saved off the snort logs (found some really interesting things there I'm going to dig through later) and re-installed the system. On boot it hung at LILO again doing the "LI 10 10 10 10..." thing, but this time it came up and booted. Could be the bad hardware I'm using (Compaq deskpro, p133 w/ 40mb of mem) and when it got pounded on, a possible DoS attack maybe, it lost some data off the disks...? Just a guess :)

All the message logs were normal, no errors or anything. Well, backup and running now...and I have the IP address of where it came from, tight the firewall rules and look into this addy ;)

Interesting, anyone good at reading Snort logs?

[**] [1:615:3] SCAN SOCKS Proxy attempt [**]
[Classification: Attempted Information Leak] [Priority: 2]
04/29-15:24:56.488139 < l/l len: 0 l/l type: 0x200 0:0:0:0:0:0
pkt type:0x0 proto: 0x800 len:0x40
66.207.203.5:3613 -> 68.73.***.**:1080 TCP TTL:117 TOS:0x0 ID:2241 IpLen:20 DgmLen:48 DF
******S* Seq: 0xE2C8982 Ack: 0x0 Win: 0x4000 TcpLen: 28
TCP Options (4) => MSS: 1412 NOP NOP SackOK
[Xref => http://help.undernet.org/proxyscan/]


68.73.***.** is my address.
This was consistant for about 30 minutes untill I killed the connection/power.

Gotta love morons... hmm, the proxy isn't responding right to our information leak request, so let's just keep on probing; maybe the behavior will suddenly change!

:rolleyes:

Anyway, it's a connection to the SOCKS port (1080) of your proxy. Dunno about a lot of the rest of the packet, though -- I think it's just a TCP SYN (if the *****S* is the packet options field, that is...), though I could be wrong.

You might want to visit that web address, too -- the Xref one. Apparently someone was trying to initiate an IRC connection to Undernet.org. Repeatedly. That's how I read the page, anyway... huh. Maybe it wasn't morons scanning the proxy, but morons not being able to connect to IRC and trying repeatedly hoping for a different outcome.