18 Apr
2002
18 Apr
'02
9:38 p.m.
Starting Tuesday night, we started getting complaints from customers in a specific net block of our network, all of whom were running small "personal" firewalls (Netgear, linksys etc) about:
Someone on that network is scanning/flooding it hard... probably from a hacked box spoofing IP's. Last one I had was a linux boxen with a 'udp.pl' running from a pseudo-root account. As it was not actually making connections, many of the traffic/monitoring tools had a hard time identifying it. We found it using ntop (ntop.org) and the packet stats on the ethernet switches.