I changed that ethX to enp3s3TrevorH wrote:Then exclude the changed ssh port in my command to the one you used.
It is keep running. I can't even read anything it is very fast.
I changed that ethX to enp3s3TrevorH wrote:Then exclude the changed ssh port in my command to the one you used.
TrevorH wrote:Now Ctrl-C it and look at the scroll back for similarities in the pckets arriving. Pick out the IP address and the ports involved and see if you can see what is being exploited.
Code: Select all
17:28:24.984795 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 36201, win 340, options [nop,nop,TS val 2373959945 ecr 3762504079], length 0
17:28:24.984818 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 37649, win 352, options [nop,nop,TS val 2373959945 ecr 3762504079], length 0
17:28:24.984825 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 39097, win 363, options [nop,nop,TS val 2373959945 ecr 3762504079], length 0
17:28:24.984888 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 40545, win 374, options [nop,nop,TS val 2373959945 ecr 3762504079], length 0
17:28:24.984900 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 41993, win 386, options [nop,nop,TS val 2373959945 ecr 3762504079], length 0
17:28:24.984908 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 43441, win 397, options [nop,nop,TS val 2373959945 ecr 3762504079], length 0
17:28:24.984914 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 44889, win 408, options [nop,nop,TS val 2373959945 ecr 3762504079], length 0
17:28:24.984921 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 46337, win 420, options [nop,nop,TS val 2373959945 ecr 3762504079], length 0
17:28:24.984928 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 47785, win 431, options [nop,nop,TS val 2373959945 ecr 3762504079], length 0
17:28:24.984943 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 49233, win 442, options [nop,nop,TS val 2373959945 ecr 3762504079], length 0
17:28:24.984951 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 50681, win 453, options [nop,nop,TS val 2373959945 ecr 3762504079], length 0
17:28:24.984958 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 52129, win 465, options [nop,nop,TS val 2373959945 ecr 3762504079], length 0
17:28:24.984992 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 53577, win 476, options [nop,nop,TS val 2373959946 ecr 3762504079], length 0
17:28:24.985003 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 55025, win 487, options [nop,nop,TS val 2373959946 ecr 3762504079], length 0
17:28:24.985041 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 56473, win 499, options [nop,nop,TS val 2373959946 ecr 3762504079], length 0
17:28:24.985095 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 57921, win 510, options [nop,nop,TS val 2373959946 ecr 3762504079], length 0
17:28:24.985108 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 59369, win 521, options [nop,nop,TS val 2373959946 ecr 3762504079], length 0
17:28:24.985115 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 60817, win 533, options [nop,nop,TS val 2373959946 ecr 3762504079], length 0
17:28:24.985123 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 62265, win 544, options [nop,nop,TS val 2373959946 ecr 3762504079], length 0
17:28:24.985130 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 63713, win 555, options [nop,nop,TS val 2373959946 ecr 3762504079], length 0
17:28:24.985201 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 65161, win 567, options [nop,nop,TS val 2373959946 ecr 3762504079], length 0
17:28:24.985246 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 66609, win 578, options [nop,nop,TS val 2373959946 ecr 3762504079], length 0
17:28:24.985295 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 68057, win 589, options [nop,nop,TS val 2373959946 ecr 3762504079], length 0
17:28:24.985306 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 69505, win 601, options [nop,nop,TS val 2373959946 ecr 3762504079], length 0
17:28:24.985350 IP 173.252.120.113.13781 > MY_IP_ADDRESS.80: Flags [.], ack 71537, win 616, options [nop,nop,TS val 2373959946 ecr 3762504079], length 0
17:28:25.094181 IP 1.39.63.41.15269 > MY_IP_ADDRESS.80: Flags [.], ack 20360, win 48100, length 0
17:28:25.094211 IP MY_IP_ADDRESS.80 > 1.39.63.41.15269: Flags [P.], seq 30760:33360, ack 2964, win 161, length 2600
17:28:25.094219 IP 1.39.63.41.15269 > MY_IP_ADDRESS.80: Flags [.], ack 22960, win 45500, length 0
17:28:25.094225 IP 1.39.63.41.15269 > MY_IP_ADDRESS.80: Flags [.], ack 25560, win 49400, length 0
17:28:25.094254 IP MY_IP_ADDRESS.80 > 1.39.63.41.15269: Flags [.], seq 33360:35960, ack 2964, win 161, length 2600
17:28:25.094263 IP MY_IP_ADDRESS.80 > 1.39.63.41.15269: Flags [.], seq 35960:38560, ack 2964, win 161, length 2600
17:28:25.094268 IP MY_IP_ADDRESS.80 > 1.39.63.41.15269: Flags [.], seq 38560:41160, ack 2964, win 161, length 2600
17:28:25.094288 IP 1.39.63.41.15269 > MY_IP_ADDRESS.80: Flags [.], ack 28160, win 46800, length 0
17:28:25.094307 IP MY_IP_ADDRESS.80 > 1.39.63.41.15269: Flags [.], seq 41160:43760, ack 2964, win 161, length 2600
17:28:25.094320 IP 1.39.63.41.15269 > MY_IP_ADDRESS.80: Flags [.], ack 30760, win 50700, length 0
17:28:25.094333 IP MY_IP_ADDRESS.80 > 1.39.63.41.15269: Flags [.], seq 43760:46360, ack 2964, win 161, length 2600
17:28:25.094376 IP MY_IP_ADDRESS.80 > 1.39.63.41.15269: Flags [.], seq 46360:48960, ack 2964, win 161, length 2600
17:28:25.113383 IP 59.88.215.39.49672 > MY_IP_ADDRESS.80: Flags [.], ack 47227, win 256, options [nop,nop,sack 1 {50067:51487}], length 0
17:28:25.113438 IP MY_IP_ADDRESS.80 > 59.88.215.39.49672: Flags [.], seq 51487:52907, ack 1356, win 140, length 1420
17:28:25.304064 IP 1.39.63.41.15269 > MY_IP_ADDRESS.80: Flags [.], ack 33360, win 50700, length 0
17:28:25.304099 IP MY_IP_ADDRESS.80 > 1.39.63.41.15269: Flags [.], seq 48960:51560, ack 2964, win 161, length 2600
17:28:25.304104 IP MY_IP_ADDRESS.80 > 1.39.63.41.15269: Flags [P.], seq 51560:51847, ack 2964, win 161, length 287
17:28:25.304106 IP 1.39.63.41.15269 > MY_IP_ADDRESS.80: Flags [.], ack 35960, win 48100, length 0
17:28:25.304110 IP 1.39.63.41.15269 > MY_IP_ADDRESS.80: Flags [.], ack 38560, win 45500, length 0
17:28:25.304215 IP 1.39.63.41.15269 > MY_IP_ADDRESS.80: Flags [.], ack 41160, win 49400, length 0
17:28:25.304227 IP 1.39.63.41.15269 > MY_IP_ADDRESS.80: Flags [.], ack 43760, win 46800, length 0
17:28:25.304232 IP 1.39.63.41.15269 > MY_IP_ADDRESS.80: Flags [.], ack 46360, win 50700, length 0
17:28:25.304236 IP 1.39.63.41.15269 > MY_IP_ADDRESS.80: Flags [.], ack 48960, win 48100, length 0
17:28:25.431556 IP 59.88.215.39.49672 > MY_IP_ADDRESS.80: Flags [.], ack 47227, win 256, options [nop,nop,sack 1 {50067:52907}], length 0
17:28:25.431592 IP MY_IP_ADDRESS.80 > 59.88.215.39.49672: Flags [.], seq 47227:48647, ack 1356, win 140, length 1420
17:28:25.473926 IP 117.208.147.130.34575 > MY_IP_ADDRESS.80: Flags [F.], seq 1720, ack 127688, win 9256, options [nop,nop,TS val 30366065 ecr 3762497801], length 0
17:28:25.474006 IP MY_IP_ADDRESS.80 > 117.208.147.130.34575: Flags [F.], seq 127688, ack 1721, win 141, options [nop,nop,TS val 3762504591 ecr 30366065], length 0
17:28:25.514905 IP 1.39.63.41.15269 > MY_IP_ADDRESS.80: Flags [.], ack 51560, win 48100, length 0
17:28:25.534503 ARP, Request who-has 108.61.46.219 tell 108.61.46.217, length 46
17:28:25.581484 IP MY_IP_ADDRESS.80 > 69.171.230.119.45643: Flags [F.], seq 961950923, ack 2179729382, win 122, options [nop,nop,TS val 3762504699 ecr 1515591276], length 0
17:28:25.616973 IP 1.39.63.41.15269 > MY_IP_ADDRESS.80: Flags [.], ack 51847, win 50700, length 0
17:28:25.669459 IP 69.171.230.119.45643 > MY_IP_ADDRESS.80: Flags [F.], seq 1, ack 1, win 612, options [nop,nop,TS val 1515666275 ecr 3762504699], length 0
17:28:25.669496 IP MY_IP_ADDRESS.80 > 69.171.230.119.45643: Flags [.], ack 2, win 122, options [nop,nop,TS val 3762504787 ecr 1515666275], length 0
No sir,TrevorH wrote:It tells you how many packets were captured by tcpdump while it was running.