[ale] What's this guy doing?

UnderGrid Founder undrgrid at undergrid.net
Sat Apr 10 11:33:18 EDT 1999


--LZvS9be/3tNcYl/X
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable

	This looks very familar to mountd and syslogd attempts I found in my=20
log files... Except the mountd attempts I got you could clearly read the wo=
rds
"bin" & "sh" so it was quite obvious it was an exploit attempt... I would=
=20
recommend running somethin like tcplogd on your system so if this happens a=
gain
you can get an IP address as this has help'd me in gettin this dealt with..=
.=20
I've already had atleast one co-located server at a provider pull'd from the
network because of the rogue processes runnin this exploit... Another idea
would be to setup ipchains to log the attempts to those ports... with my=20
ipchains firewall I've seen a rise in the number of attempts to contact my
sunrpc port from sites (mostly korean sites which doesn't surprise me in the
least since they are known to be the most insecure boxen on the net).

	Respectfully,
	Jeremy T. Bouse

Jim Popovitch decided to waste my bandwidth saying:
> I was this come through our mail server logs today....
>=20
>=20
> Apr  9 13:20:24 gateway kernel: Warning: possible SYN flood from
> 208.166.52.23 on 12.77.54.157:111.  Sending cookies.
> Apr  9 13:20:28 gateway
> Apr  9 13:20:28 gateway syslogd: Cannot glue message parts together
> Apr  9 13:20:29 gateway 29>Apr  9 13:20:28 mountd[282]: NFS mount of
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
> ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^=
P^P
<snip>
> Apr  9 13:20:30 gateway
> (-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(-^E^H(=
-^E
> ^H(-^E^H(-^
<snip>
> Apr  9 14:03:14 gateway named[647]: Cleaned cache of 19 RRs
>=20

--=20
,--------------------------------------------------------------------------=
---,
| Jeremy T. Bouse  -  UnderGrid Network Services, LLC  -   www.UnderGrid.ne=
t  |
|     PGP ID/Fingerprint: 1024/E83D9AE5/4ACC03F098D78198 19D0593E50E597E9  =
   |
|   Public PGP key available by sending email with 'send pgpkey' in subject=
   |
| undrgrid at UnderGrid.net  -  NIC Whois: JB5713  -  Jeremy.Bouse at UnderGrid.n=
et |
| If life is merely a joke, the question still remains: for whose amusement=
?  |
`--------------------------------------------------------------------------=
---'

--LZvS9be/3tNcYl/X
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a

iQCVAwUBNw9vO+ak13roPZrlAQHxhwP+PeQgthir66ZhzAc5wI0nhRgJ+lNoh8un
VFXgMqiwZn9GmNdd7htEkGrhaPQevO0XqG9GYi148Ts2mYTgRyy7VV6kesttd+dD
+vhO20/X3UIB3AoXnAeKWR4LZXQRtldRsJVLlHhHw7Mp6VBAuPZHT5TzYSlkG11/
sbBKVMr3XUs=
=lcax
-----END PGP SIGNATURE-----

--LZvS9be/3tNcYl/X--






More information about the Ale mailing list