Mailing List Archive
Support open source code!
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: tlug: Now, ain't this really odd??!!
- To: tlug@example.com
- Subject: Re: tlug: Now, ain't this really odd??!!
- From: "Stephen J. Turnbull" <turnbull@example.com>
- Date: Mon, 31 Aug 1998 15:50:38 +0900 (JST)
- Content-Transfer-Encoding: 7bit
- Content-Type: text/plain; charset=us-ascii
- In-Reply-To: <Pine.LNX.3.96.980831103002.30725A-100000@example.com>
- References: <35E858D5.7500A179@example.com><Pine.LNX.3.96.980831103002.30725A-100000@example.com>
- Reply-To: tlug@example.com
- Sender: owner-tlug@example.com
>>>>> "Chris" == Chris Sekiya <chris@example.com> writes:
Chris> (nice to see the TLUG list up again) On Sat, 29 Aug 1998,
Chris> Rafael Coninck Teigao wrote:
>> I went IRCing for a time that night and, after login-out, I
>> looked at my /var/log/secure and found out that somebody was
>> trying to telnet my machine...I did the same to his machine,
This is not polite. You don't know that the bad guy owns that
machine.
This is also dangerous. If he had successfully cracked your machine
and gotten root privileges (with luck this could be done in about 5
minutes, not likely but possible), you could get `rm -rf /'ed if he
thought you could identify him.
>> than the odd thing happened: I got telneting, yada-yada-yada,
>> but after some text and a screen (like those old BBS), my
>> kernel started showing lots of error messages, then rebooted (I
>> was as root out of the X); thought that it could be a problem
>> on my kernel, after booting I tried telneting again to the same
>> host (this time as an unprivileged user, still out of X) and I
>> got the same errors, but this time no reboot at the end, just a
>> halted system!
Do you have copies of the errors? If so, hang on to them, it may be
possible to identify the kind of attack that was used.
Chris> I'll be willing to bet that the fellow who telnetted to
Chris> your machine subsequently attacked it. Your kernel should
Chris> have been immune to the Ping of Death(tm), but it's likely
Chris> vulnerable to teardrop attacks or the like.
Chris> Secure your machine.
In particular, put that address in /etc/hosts.deny:
ALL: 123.456.789.123
or if it seems to be a LAN or PPP block, you could put the whole block
in /etc/hosts.deny:
ALL: 123.456.789.123/255.255.255.0
And report the apparent attack to to the owner of the address in
question and upstream providers (use whois 123.456.789.0; if that
gives you nothing, try whois -h whois.arin.net 123.456.789.0, and look
in the list of whois servers there for the one that seems most likely
to know about your net.
They may not know that their system is being used for such purposes.
If possible use a different address (eg, one reported by whois).
--
University of Tsukuba Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
Institute of Policy and Planning Sciences Tel/fax: +1 (298) 53-5091
--------------------------------------------------------------
Next Nomikai: 18 September, 19:30 Tengu TokyoEkiMae 03-3275-3691
Next Meeting: 10 October, Tokyo Station Yaesu central gate 12:30
--------------------------------------------------------------
Sponsor: PHT, makers of TurboLinux http://www.pht.co.jp
- Follow-Ups:
- Re: tlug: Now, ain't this really odd??!!
- From: Matt Gushee <matt@example.com>
- Re: tlug: Now, ain't this really odd??!!
- References:
- tlug: Now, ain't this really odd??!!
- From: Rafael Coninck Teigao <rct@example.com>
- Re: tlug: Now, ain't this really odd??!!
- From: Chris Sekiya <chris@example.com>
- tlug: Now, ain't this really odd??!!
- Prev by Date: Re: tlug: 3-color picture
- Next by Date: Re: tlug: Now, ain't this really odd??!!
- Prev by thread: Re: tlug: Now, ain't this really odd??!!
- Next by thread: Re: tlug: Now, ain't this really odd??!!
- Index(es):
| Home Page | Mailing List | Linux and Japan | TLUG Members | Links |