[ale] Known vulnerabilities in whois? (called by fail2ban)
Jim Kinney
jim.kinney at gmail.com
Thu Mar 25 16:19:50 EDT 2010
On Thu, Mar 25, 2010 at 3:43 PM, Neal Rhodes <neal at mnopltd.com> wrote:
> Something odd today.
>
> Fedora Core 10 system dog slow. Yes, I should upgrade. Is there a drug
> you can legally take to help you forget the prior pain of Fedora upgrades?
>
Alcohol (to steel the nerves) followed by system reinstall followed by lots
more alcohol (to fight back the tears) and few Zanax (um, why not at this
point?) for good measure.
>
> Top shows that whois is taking 80% of cpu.
>
> whois being called by fail2ban, which is about to cut off access to some
> wanker trying random passwords. It does a whois first to get some
> descriptive detail for the logs.
>
> It was trying to do:
>
> 17753 ? R 508:58 | \_ /usr/bin/whois 203.171.30.41
>
>
> You can see it ate a pile of cpu. I killed it off and all seems to be
> ok. Inquiring minds are curious if those doing external ssh attempts are
> getting wise to the notion that fail2ban will spot them and then close them
> down, and are now attempting to either:
>
> A. find/use a vulnerability in whois, or
> B. just make the whole fail2ban process hang for a while longer so they get
> more chances to guess.
>
>
> Set up a cron that looks for long-running whois and kill it until you can
cycle through the above process :-)
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
--
--
James P. Kinney III
Actively in pursuit of Life, Liberty and Happiness
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20100325/3347e0ae/attachment.html
More information about the Ale
mailing list