Work, work, work, Turkey, work, work

Uneventful day for the most part yesterday. Went to darkho’s house to have dinner with her family. It was a good dinner, and darkho made good Chantilly Potatoes. I’ll also take this time to be random and mention that it’s currently about 59degF at the pad. This could explain the incessant running of my nose.

Got a call about 0130 last night from Time Warner Telecom (TWTC). They told me that one of the T1’s at one of our new sites was pegged for several hours. Upon checking it out I saw a nice flood of UDP packets. The contents appeared to include something like “+++ATH0″. They appeared to be attacking an IP belonging to an ISP in Israel. I think they’re a DSL provider, but I’m not sure; my Hebrew is, uh, a bit rusty. That is Hebrew, right? I recognized the selection for the Russian language on the first page, though.

I was immediately concerned that our new firewalls had been hacked and were now being used in a DOS. After checking things out though, I noticed the attack coming from the LAN side. Then I remembered that, while installing our last site on Wednesday (we have one left that didn’t get finished on Wednesday), I saw outbound IRC connections and alerted the technician that it might be a control channel for a back door/Trojan/whatever. There were two PCs causing the flood from the LAN, and I also saw outbound IRC connection attempts from those two PCs. I firewalled the target address (the flood is still going on AFAIK, probably will be until the PCs are rebooted, and possibly won’t stop even then) and any packets coming from a range of usual IRC ports. Alerted the administrator, told them to get the technicians down there working on AV software, which is probably out of date or missing.

Also reorganized my iptables rules so I could have the Corporate site route between two branch sites (packet in tunnel, then back out another tunnel). The src parameter when adding a route with iproute2 is mad useful.

I’m going to need to set up a WINS server on their network pretty soon so cross-domain browsing works. I’m not really looking forward to this, though. I was going to use Samba to do it, but last I heard Samba doesn’t do WINS replication. This means I’ll have to use their NT4 server at the Corporate site down south to synchronize with our Corporate server up here. It’s either that or make the whole enterprise rely on a single WINS server, which doesn’t seem like a particularly good idea to me. Also, I can’t help but suspect that Samba doesn’t checkpoint its WINS database to disk like (AFAIK) NT and friends do. If the server gets restarted, doesn’t this mean you’ll be having some WINS resolution issues for at least a while, until every host re-registers with the server manually? I guess some of this can perhaps be navigated by using dns proxy = yes and putting important entries in DNS? I’m really not sure how the DNS proxy works though.

No more sites turning up today, most customers probably still on vacation, and darkho is working until 1900 or 2000. This means work on DarkWiki today, likely.

Oh, BTW, semi-interesting (long) article on the development of TSO. Non-technical, unfortunately, but note the book titled something like Tru64 and Oracle 9i on the desk in one of the pictures.