On 2/21/02 at 12:09 AM, guitarlynn <[EMAIL PROTECTED]> wrote: > I've been one of many that have lately had a ton of logs > with dns floods and http scans. I figured that I would go > and SILENT_DENY them yesterday. I did and my logs stayed > empty the rest of the day. > > Today I checked the weblet and I had http SYN packets in > my logs. So, I go down and set up a monitor and get ready > to check things out. To my amazement, everything was all > in CAPS .... everything from the shell and my keyboard > input. It lagged a little when I logged in, so I 'ae' a > .conf file and attempt to scroll ..... it's lagging like > ssh does (ohhh, now I'm real interested)! I pull up > another shell and everything is normal (no lag and the > fonts are case-sensitive again). I check 'ps ax' and > everything is normal, so I 'svi network reload' and change > back to terminal 1. Terminal 1 is back to normal now too. > > None of my network settings have changed. The box is a DF > floppy w/o ssh, IPSec, or telnet. The only hole in the > firewall is a portfw to a internal webserver w/o any name > resolution on port 81. After resetting the firewall, I got > a bunch of port 80 and a couple of port 21 hits. > > Any idea's .... I'm afraid someone was somehow filtering > my shell. Oh, I know the date is borked on the machine > .... it's been a low priority.
Next time this happens see if you can put a system on there and run a port sniffer on the traffic coming into your box. It's definitely possible to create a shell which responds to a connect from port 80. It's also possible to "steal" the file-descriptors from a running shell. I'm not sure it's entirely likely this has happened to you, but I wouldn't rule it out - and all those attempted connects are interesting... -- David Douthitt UNIX Systems Administrator HP-UX, Unixware, Linux [EMAIL PROTECTED] _______________________________________________ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
