On Wed, Jul 04, 2001 at 08:22:11PM +1000, andy wrote:
> OK, so I rebuilt an old RH6.2 system and upgraded to RH7.1 in the
> process. I got the RH7.1 install to format everything except my swap
> drive.
>
> About an hour
Heh, you're lucky. I've had people knocking at the door minutes after this
sort of thing. :-)
> after I rebooted my nicely rebuilt system (using my old
> ipchains rules - which are obviously lacking) I noticed the following
> tell-tale signs of intrusion yet again:
All the PROTO=6 probably means they're looking for an NNTP server. Unless
you're running one, laugh evily in their general direction. (And since it's
repeated, I'd guess you're safe, they haven't found anything but are stupid
and keep trying)
PROTO=17 are UDP packets, I think this has something to do with Win NETBIOS
stuff. Vaguely thinking that somebody is looking for Windows shares on your
machine.
> ... 17:13:17 rpc.statd[844]: gethostbyname error for
> ^X???^X???^Y???^Y???^Z???^Z???^[???^[???%8x%8
> x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220
> \220\220\220\220\220\220\220\220....... heaps of this
This one is more fun, looks like a buffer overflow attack against rpc.statd.
Are you sure you want to be running this service? Really not a great idea
to run it on a machine directly connected to the net, you want a firewall in
there somewhere I'd think.
> The IP addresses don't seem to mean much other than one of them is mine
> ! (dial up so it varies each time)
One of them is yours because it's the destination IP. The other IP number is
the computer the attack (supposedly) came from. You can try tracing it back
with an nslookup IP, or whois IP. Then you can send email to [EMAIL PROTECTED]
And generally get no response at all back. Or you could h@><0r them and
spend 15 years in jail. Your choice.
> The same thing happened on RH6.2 just before I got attacked (though this
> could be just coincidence)
No, probably related in some way, if you saw this same sequence.
> but I beleive the vulnerability exploited in
> my case was via rpc.statd
And it looks like somebody is trying the same hole again.
> (they loaded 'luckroot' onto my system plus a
> rootkit. Unfortunately NFS uses rpc.statd for its locking (?) schemes
> so I can't just ditch it.
Look for a better way of doing whatever you're doing with NFS. You really
don't want an NFS server acting as firewall, which is what it seems like
you're doing.
> Has anyone else experienced this.
I think the sad thing is that anybody who's connected a computer to the net
in the past few years has probably had somebody attempt to break into it.
Frequently.
> What the hell is going on ????
Just general net traffic really. In that any machine connected to the net for
more than an hour or so appears to be a target for attack.
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://lists.slug.org.au/listinfo/slug
