[BUGS] Strange NIC behavior
Jerahmy Pocott
quakenet1 at optusnet.com.au
Mon Jan 14 04:00:27 EST 2008
Hmm,
I'v noticed in my security logs recently a messages saying that fxp0
link state changed to down/up a number of times.. At first I didn't
think much of it but it has continued to happen.. There are also a
massive amount of ntpd messages in /var/log/messages..
Here is a snippet:
Jan 13 11:15:59 beastie ntpd[540]: kernel time sync enabled 6001
Jan 13 11:33:03 beastie ntpd[540]: kernel time sync enabled 2001
Jan 13 12:58:29 beastie ntpd[540]: kernel time sync enabled 6001
Jan 13 13:15:33 beastie ntpd[540]: kernel time sync enabled 2001
Jan 13 14:44:41 beastie kernel: fxp0: link state changed to DOWN
Jan 13 14:44:43 beastie kernel: fxp0: link state changed to UP
Jan 13 14:48:11 beastie kernel: fxp0: link state changed to DOWN
Jan 13 14:48:12 beastie kernel: fxp0: link state changed to UP
Jan 13 14:58:00 beastie ntpd[540]: kernel time sync enabled 6001
Jan 13 15:15:05 beastie ntpd[540]: kernel time sync enabled 2001
Jan 13 17:31:42 beastie ntpd[540]: kernel time sync enabled 6001
Jan 13 17:48:47 beastie ntpd[540]: kernel time sync enabled 2001
I'm not sure why the time sync keeps changing between 6001 and 2001?
It is happening constantly.. But there are also a number of these
cases, always in pairs like you can see here where the link state
changes to down, then to up, then to down, then back up again ALWAYS
spaced 4 minutes apart from each other with the link coming back up
within 1-2 seconds. This seems to be happening every 2-6 hours!
Since it's always 4 minutes between the two up/down cycles this has to
be some sort of programmed behavior..
I'v also been experiencing a very large volume of brute force attacks
on this machines sshd, seeming to be coming from taiwan.. Could this
be related some how? Perhaps it's some sort of attack?
Cheers,
J.
More information about the BUGS
mailing list