tcpd anomaly

[Pluto <pluto pizzaservice de>]

  Salve,

  I'm protecting hades with the tcpd wrappers and had no problems so far,
at least none that I noticed.

  Today happend something strange. An attacker got a connect on a
protected port from a not allowed IP:

> Unusual System Events
> =-=-=-=-=-=-=-=-=-=-=
  BTW, thanks for that tool.

> Jul 1 03:34:56 hades in.null[18321]: twist
> slip139-92-93-124.hol.ch.ibm.net to perl /usr/sbin/get_em.pl
> 139.92.93.124 unknown slip139-92-93-124.hol.ch.ibm.net in.null 2>>
> /var/log/get_em_err

  This is OK and has happend a dozen times a week in the last year. He
comes from ch.ibm.net where only de.ibm.net is allowed and is routed to a
little homegrown script that logs some stuff like traceroute and finger.

> Jul 1 03:35:00 hades in.null[18324]: twist
> slip139-92-93-124.hol.ch.ibm.net to perl /usr/sbin/get_em.pl
> 139.92.93.124 unknown slip139-92-93-124.hol.ch.ibm.net in.null 2>>
> /var/log/get_em_err

  And again, still OK.

> Jul 1 03:35:05 hades in.telnetd[18327]: connect from
> slip139-92-93-124.hol.ch.ibm.net

  But now that! Hasn't happend before and I think the fast reconnects
after 4-5 sec. are on purpose, nobody has done this like that before and I
got a lot more of this in the logfiles.
  Seems like tcpd is still busy with the last two scripts and doesn't even
look at the connect. Or do I miss something? Have the scripts have to have
a '&' at the end of the line to prevent it? Or is it a bug of the tcpd
wrappers?

  Yours troubled

  Pluto  -  SysAdmin of Hades
  We are NSA, your mail will be scrutinzed, resistance is futile! =:-)
  Key fingerprint: 1F 3F EA 94 D0 56 A6 86  4D 19 C4 56 6C F9 43 44

Boren's Laws:
	(1) When in charge, ponder.
	(2) When in trouble, delegate.
	(3) When in doubt, mumble.