Mailing List Archive

Support open source code!


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: tlug: Now, ain't this really odd??!!



>>>>> "Chris" == Chris Sekiya <chris@example.com> writes:

    Chris> (nice to see the TLUG list up again) On Sat, 29 Aug 1998,
    Chris> Rafael Coninck Teigao wrote:

    >> I went IRCing for a time that night and, after login-out, I
    >> looked at my /var/log/secure and found out that somebody was
    >> trying to telnet my machine...I did the same to his machine,

This is not polite.  You don't know that the bad guy owns that
machine.

This is also dangerous.  If he had successfully cracked your machine
and gotten root privileges (with luck this could be done in about 5
minutes, not likely but possible), you could get `rm -rf /'ed if he
thought you could identify him.

    >> than the odd thing happened: I got telneting, yada-yada-yada,
    >> but after some text and a screen (like those old BBS), my
    >> kernel started showing lots of error messages, then rebooted (I
    >> was as root out of the X); thought that it could be a problem
    >> on my kernel, after booting I tried telneting again to the same
    >> host (this time as an unprivileged user, still out of X) and I
    >> got the same errors, but this time no reboot at the end, just a
    >> halted system!

Do you have copies of the errors?  If so, hang on to them, it may be
possible to identify the kind of attack that was used.

    Chris> I'll be willing to bet that the fellow who telnetted to
    Chris> your machine subsequently attacked it.  Your kernel should
    Chris> have been immune to the Ping of Death(tm), but it's likely
    Chris> vulnerable to teardrop attacks or the like.

    Chris> Secure your machine.

In particular, put that address in /etc/hosts.deny:

ALL: 123.456.789.123

or if it seems to be a LAN or PPP block, you could put the whole block 
in /etc/hosts.deny:

ALL: 123.456.789.123/255.255.255.0

And report the apparent attack to to the owner of the address in
question and upstream providers (use whois 123.456.789.0; if that
gives you nothing, try whois -h whois.arin.net 123.456.789.0, and look 
in the list of whois servers there for the one that seems most likely
to know about your net.

They may not know that their system is being used for such purposes.
If possible use a different address (eg, one reported by whois).

-- 
University of Tsukuba                Tennodai 1-1-1 Tsukuba 305-8573 JAPAN
Institute of Policy and Planning Sciences        Tel/fax: +1 (298) 53-5091
--------------------------------------------------------------
Next Nomikai: 18 September, 19:30 Tengu TokyoEkiMae 03-3275-3691
Next Meeting: 10 October, Tokyo Station Yaesu central gate 12:30
--------------------------------------------------------------
Sponsor: PHT, makers of TurboLinux http://www.pht.co.jp


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links