Possible DoS attack?

[jabr at blu.org (John Abreau)]

We lost access to a server at work; unfortunately, the server is in New
York, and one of us is on the way to Logan to fly out there and reboot the
machine, but he probably won't even arrive there until 4:00 or so.

At this point we can ping the system, but we can't access it at all. Ssh
is apparently down, as is apache, sendmail, and inn. It responds to all
connection requests instantaneously with a "Connection refused" error,
which makes me suspect that the refusal is happening at the IP level,
before the system has a chance to look at the packet.

In the meantime, we got a report from someone that the system is pounding
their network on port 113, at roughly 50-60 request per minute. The
excerpt from their logs looks like thes (ip addresses obscured):

    Aug 25 08:00:14 avgo-br2 avgo-br2, list 101 denied tcp
    xxx.xxx.xxx.xxx(13361)(Ethernet v2 0050.2ac2.14a0) -> yyy.yyy.yyy.yyy(113), 1 packets

Does this look familiar to anyone? Is this characteristic of any type of
break-in?

Another thing that occurs to me: we had just migrated an old server to
this one last week, which included installing inn. I understand inn can be
a resource pig; could the above behavior be a side effect of inn running
out of control?

--
John Abreau / Executive Director, Boston Linux & Unix 
ICQ#28611923 / AIM abreauj / Email jabr at blu.org


-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).