Hack causes server IP address to exist on my network - stops eth0 from coming up

Any input would be greatly appreciated.

Network info:

We have a set of 8 global IP addresses.
One of the Global IP is used by the Router and one more is given to
the one server (RedHat9.0) we have installed.

The router is configured x.x.x.1 and the server x.x.x.2




Symptoms:

Everything was working fine, but recently we have been getting a lot
of hacks - such as IPspoofing being detected and blocked by our
firewall. However, whenever the server is rebooted, ETH0 configured
with the global IP address fails to come up believing there is already
another machine on the network using the same address.
This is true with every address in the subnet. Even if I set the IP
address as .1 or .2 or .3 etc., the server thinks it is already in
use.
I can bring up the server by restarting the network interface while
disconnecting the LAN cable and reconnecting it once the interface is
up, but it is an annoyance and we want to be sure that nothing serious
is taking place.

Does anyone know what is going on?
How it is being hacked and how to prevent it.

Thank you for all help in advance.

On 2004-08-23, gee <(E-Mail Removed)> wrote:
> firewall. However, whenever the server is rebooted, ETH0 configured

Why did you reboot the server?

> another machine on the network using the same address.

Maybe you should clean the ARP table.

I don't think it's "hacked", just misconfigured.

Davide

--
Fifth Law of Applied Terror:
If you are given an open-book exam, you will forget your book.

Corollary:
If you are given a take-home exam, you will forget where you
live.

Davide Bianchi <(E-Mail Removed)> wrote in message news:<(E-Mail Removed) n.net>...
> On 2004-08-23, gee <(E-Mail Removed)> wrote:
> > firewall. However, whenever the server is rebooted, ETH0 configured
>
> Why did you reboot the server?
>
> > another machine on the network using the same address.
>
> Maybe you should clean the ARP table.
>
> I don't think it's "hacked", just misconfigured.
>
> Davide

++Thanks for the feedback, but there is only one server on the network
and one router. There is no other machine to misconfigure with.

Whether I reboot the server or restart the network services, the
outcome is the same - I get errors saying that there is already a
server on the network with the same IP address.
This never used to happen until I got complaints that people were
attacking them from my server IP address.

I use a cheap Router so I can not manually only delete the ARP table.
I can only reset the whole router or reboot. Rebooting has no affect
and resetting to factory settings and configuring again worked for the
first 5 mins, but soon got the same error where the ETHcard will not
come up as soon as we received the first set of IP spoof attacks from
127.0.0.1.

(E-Mail Removed) (gee) wrote in message news:<(E-Mail Removed). com>...
> Davide Bianchi <(E-Mail Removed)> wrote in message news:<(E-Mail Removed) n.net>...
> > On 2004-08-23, gee <(E-Mail Removed)> wrote:
> > > firewall. However, whenever the server is rebooted, ETH0 configured
> >
> > Why did you reboot the server?
> >
> > > another machine on the network using the same address.
> >
> > Maybe you should clean the ARP table.
> >
> > I don't think it's "hacked", just misconfigured.
> >
> > Davide
>
> ++Thanks for the feedback, but there is only one server on the network
> and one router. There is no other machine to misconfigure with.
>
> Whether I reboot the server or restart the network services, the
> outcome is the same - I get errors saying that there is already a
> server on the network with the same IP address.
> This never used to happen until I got complaints that people were
> attacking them from my server IP address.
>
> I use a cheap Router so I can not manually only delete the ARP table.
> I can only reset the whole router or reboot. Rebooting has no affect
> and resetting to factory settings and configuring again worked for the
> first 5 mins, but soon got the same error where the ETHcard will not
> come up as soon as we received the first set of IP spoof attacks from
> 127.0.0.1.

Last line above not entirely clear to me. If someone can "spoof"
localhost, you most certainly have a misconfigured or inadequately
protected network -- you need a good firewall on the router or at
least (or additionally) on the RH9 box (already?). 127.0.0.x should
_not_ enter and be accepted on _any_ interface (or leave any
interface). If they are _generated_ on the RH9 box, then someone is
already in most likely.

Also are you sure your "cheap" router is not the source of your reboot
problems. You can effectively "re-boot" your network with:
/sbin/service network restart (or stop or start)
you might also try:
/sbin/service network status (to see what's what)

Point about the router is that it may be caching network info or
acting as a bridge (which many "routers" these days do) and placing
this contrary info on the router it is connected to. Have you tried
to "announce" your RH9 presence when coming up? Your description of
the behavior when rebooting is unclear -- error messages? What is its
source? Have you checked your utmp/wtmp logs? Run arpwatch? $
netstat -rc ? # ip neighbor show?

If someone has reached the point that they can poison the arp cache
(maybe that's the reason 127.0.0.1 is appearing) and control the flow
of your packets you may already be rootkitted or on the way there.
Get a sniffer on the wire and see what's going on and/or run
chrootkit:
http://www.chkrootkit.org/

Probably a good idea to scan your own ports with nmap and try to find
if someone is running nc (netcat) on the RH9 box.

If it's not a hardware/net config problem you shouldn't wait to check
for instrusion and prepare to reload the server's disks -- you may
already be too late. Hopefully it is a network glitch.

hth,
prg
email above disabled