I wonder what "strings in.lpda" yields with the valid program...
Chuck Sterling
System/Network Administrator
NASA White Sands Test Facility
Magic is REAL, unless declared INTEGER.
> ----------
> From: Joe Voisin[SMTP:[EMAIL PROTECTED]]
> Sent: Wednesday, August 02, 2000 8:04 AM
> To: 'Dirk Boenning'; 'Firewall-1 Mailing list'
> Subject: RE: [FW1][SUMMARY] Urgent. I'm under attack
>
>
> Are you running anything from Tivoli?
>
> in.lpda is the Link Problem Determination Aid (LPDA). Although I'm
> certain
> that if someone was going to drop a trojan on your system, they would try
> to
> disguise the trojan as an actual valid process so it wouldn't be killed...
>
> =====================================================================
> Joseph Voisin, Systems Administrator, Engel Canada Inc.
> www.engelmachinery.com | [EMAIL PROTECTED] | (519)836-0220 x436
> PGP Fingerprint: A20B 135D 0920 074F C7FE D72D 88A7 2521 5138 DFC2
> =====================================================================
>
>
>
> > -----Original Message-----
> > From: Dirk Boenning [mailto:[EMAIL PROTECTED]]
> > Sent: Wednesday, August 02, 2000 8:34 AM
> > To: 'Firewall-1 Mailing list'
> > Subject: [FW1][SUMMARY] Urgent. I'm under attack
> >
> >
> >
> > Hello,
> >
> > here's the solution.
> > Some peoples got it wrong. The IRC Server is not mine, it was the
> > destination
> > of the packets. The source was shown as inside IP's.
> >
> > Cause I was sure, that IP Spoofing was correct configured the problem
> > must
> > reside inside my internal net. Cause the source cycles through all my
> > internal IP's (if a machine exists or not) I assumed that this must be
> > a trojan on an internal machine which manipulates the IP Data.
> > I snooped one of these packets and take a lokk at it.
> > IP Source was one of my internal IP's, IP Destination was the
> > mentioned
> > IRC Server irc.arnes.si. Cause the internal IP doesn't belong to any
> > system, that
> > must be faked. Now taking a look at the Ethernet Header with the MAC
> > Address.
> > Destination was the firewall. Thats OK, cause the Ethernet Destination
> > should be
> > the next router. The Source was a sun machine from a customer which
> > resides in our
> > internal net for project reasons. Take a quick look at some other
> > packets.
> > Again and again, the ethernet source was this machine. So I got the
> > devil.
> > On the machine I found a programm called /usr/sbin/in.lpda.
> > This program
> > needs a lot
> > of CPU power. In my opinion this is not an usual OS program and so I
> > killed it.
> > And guess what, the packet storm stopps right on the feet.
> > I don't know since which time yhis trojan was on the system and I even
> > don't
> > know how it was triggerd.
> > strings of the program results beside some crunch in:
> > strings in.lpda
> > %d.%d.%d.%d
> > ICMP
> > tc: unknown host
> > 3.3.3.3
> > mservers
> > randomsucks
> > skillz
> > lpsched
> > in.telne
> >
> > Maybe I will take a closer look at it in the future. If someone is
> > interested in
> > I could send the binary (it's round about 100KB).
> >
> >
> > Some guys mentioned that this is a try to slow down the IRC server
> > irc.arnes.si
> > I don't think so. The program cycles through all ports. This wouldn't
> > make
> > to much sense if you want to kill the server. I guess that he/she just
> > want to know
> > which ports are open from which machines in my internal net to the
> > outside.
> > That means that he/she have to control the irc.arnes.si to get the
> > information
> > he/she wants.
> >
> > CU, Dirk.
> >
> > >
> > > Hello,
> > >
> > > till a couple of minutes I'm under an attack. I never have seen this
> > > behaviour.
> > > I have round 'bout 50000 active connections. The Destination for all
> > > of these connections is irc.arnes.si (193.2.1.34). The Source is an
> > > internal IP. The internal IP is not one specific IP it's
> > changing all
> > > over
> > > the whole subnet, even if no machine is assigned to this IP. But not
> > > even the
> > > IP's cycle through all values the ports do also.
> > >
> > > I'm sure that IP spoofing is correct configured. The all over system
> > > works
> > > since 2 years.
> > >
> > > Any idea how to stop, what to change ??
> > >
> > > Tia, Dirk.
> > >
> > > BTW. It's Firewall 4.0 under Solaris 2.6
> >
> >
> > ==============================================================
> > ==================
> > To unsubscribe from this mailing list, please see the
> > instructions at
> > http://www.checkpoint.com/services/mailing.html
> > ==============================================================
> > ==================
> >
>
>
> ==========================================================================
> ======
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ==========================================================================
> ======
>
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
