I guess the port forward I made on my router took a while to kick in. It sounds as if your router config change just didn't work for some reason. They might notice later on, when they re-scan for amplifying NTP servers they can use. If you block them half-way through an attack, they won't necessarily get any signal that this has happened. (I've seen this happen myself but with uPNP traffic, UDP port 1900, on a consumer router with a bad configuration.)Īt this point, my assumption is that attackers are still trying to use you and will continue for some time. Top Google results include explanations from companies like Cloudflare, who sell services protecting websites from flooding attacks. Someone could be trying to use your computer as part of a flooding attack on someone else. If so, there is another possibility that could explain this. Or configured 5+ other computers to use this NTP server, and been watching the traffic when all 5 are turned on at the same time. For example you have not listed yourself as a public NTP server :). over a whole minute.Īnd you say you have not requested this. In my definition of massive, this would mean you see traffic on port 123 consistently every second, e.g. I noticed a massive amount of UDP traffic on port 123 that I have no idea where is coming from. Also, you may wish to read this post, including the answers, to get some more tips.
Also, changing the default port for ssh connections makes you invisible at least to script kiddies (although any determined opponent will never be fooled by such a stratagem).
PORT UNREPLIED PASSWORD
the programs on it are not being run.Īlso, remember that password protection ( fail2ban notwithstanding) is not sufficient protection nowadays, and that you should always use cryptographic keys instead. This avoids the ability of some malware to evade detection by anti-malware programs because the disk on which the malware resides is being used passively, i.e.
PORT UNREPLIED INSTALL
If you do not wish to re-install the OS because you have sensitive data, then take any Linux distribution running from a USB stick (Ubuntu is just fine), boot you pc from it ( not from your hard disk), install clamav, rkhunter and chkroot on the USB key, and set them to work on your hard disk. Your safest bet is to re-install your operating system, then change the configuration (including password!!) of your router (possibly disabling password login altogether in favor of the use of cryptographic keys) to allow only https connections. BTW, none of the three IP addresses you provided is even remotely connected with an ntp server. These pieces of evidence suggest you have been hacked:Ī mysterious service running on UDP/123, leaving no trace (which suggests the presence of a rootkit) Ī mysterious port-forwarding appearing on your router Ĭonnections from consumer accounts (check them on or with whois command). But we'll cross that bridge when we get there.Ī follow-up to your comment. Anything but ntp, or, worse still, nothing, will mean you have been broken into. Will give you the ID of the process listening on port UDP/123. More than wireshark, your friend is ss: ss -lnup | grep 123 There are many plausible reasons for using UDP instead of TCP, possibly the most important one of which is the use of an encrypted VPN (in which case wireshark will not help you in the least), and for using a System Port (it is easier to evade detection if you use an innocent port). Port TCP/123 is used by a well-known piece of malware, showing that in compromised systems where root credentials have been obtained System ports are routinely used to smuggle illicit traffic. (System ports are defined higher up in the same document as ports in the range 0-1023). UDP/123 being a IANA-assigned port, it cannot be used by any other legitimate application: the Official IANA port assignment page states:Īssigned ports both System and User ports SHOULD NOT be used without Then what you have been observing is nearly surely illegal activity.
0 kommentar(er)
