[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: I'd say this is someone trying to find an expolit



You really ought to look in to PortSentry...  It sees someone hitting
multiple ports successively, & automatically adds them to hosts.deny, and
adds a rule to your ipchains to dump their packets...  After they tri[ it's
protection, your machine becomes a black hole...  You can also set up
specific ports.

> -----Original Message-----
> From:	J. Scott Kasten [SMTP:jsk tetracon-eng net]
> Sent:	Tuesday, August 29, 2000 3:39 PM
> To:	Scott Kindley
> Cc:	redhat-list redhat com
> Subject:	Re: I'd say this is someone trying to find an expolit
> 
> 
> Yeah, it's anoying, but he's probably done no harm yet.  The best things
> to do are to go through your /etc/rc.d/rcX.d where 'X' is your default run
> level and make sure you've got any uncesary services removed from startup
> there (the symlinks starting with 'S').  Go through your /etc/inetd.conf
> and comment out everything you don't absolutely need from there.
> Particularly ftp if you are not using it.  Then go into your hosts.deny
> and put "ALL : ALL" then in hosts.allow put "ALL : 127.0.0.1 X.X.X.X"
> where X.X.X.X is a list of fixed IP addresses that you'll allow
> connections from.  That will make it quite secure.  The finally, if you
> run X on that box, add in an ipchains rule to your /etc/rc.d/rc.local to
> drop IP traffic that comes in for sockets in the 6000 block (the X
> server).  Now you should be really tight.
> 
> I've had people try and send buffer overflow exploits to my ftp daemon 6
> times in the past month.
> 
> On Tue, 29 Aug 2000, Scott Kindley wrote:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > Aug 29 04:21:12 ns1 in.telnetd[11975]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:12 ns1 in.telnetd[11977]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:12 ns1 in.telnetd[11976]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:12 ns1 in.telnetd[11978]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:12 ns1 in.telnetd[11979]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:12 ns1 in.telnetd[11980]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:12 ns1 in.telnetd[11981]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:12 ns1 in.telnetd[11982]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:13 ns1 in.telnetd[11983]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:13 ns1 imapd[11984]: refused connect from 63.145.81.31
> > Aug 29 04:21:13 ns1 imapd[11988]: refused connect from 63.145.81.31
> > Aug 29 04:21:13 ns1 imapd[11987]: refused connect from 63.145.81.31
> > Aug 29 04:21:13 ns1 imapd[11985]: refused connect from 63.145.81.31
> > Aug 29 04:21:13 ns1 imapd[11986]: refused connect from 63.145.81.31
> > Aug 29 04:21:13 ns1 imapd[11989]: refused connect from 63.145.81.31
> > Aug 29 04:21:13 ns1 in.telnetd[11990]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:13 ns1 in.telnetd[11991]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:13 ns1 in.telnetd[11992]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:15 ns1 in.telnetd[11993]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:15 ns1 imapd[11994]: refused connect from 63.145.81.31
> > Aug 29 04:21:16 ns1 imapd[11995]: refused connect from 63.145.81.31
> > Aug 29 04:21:16 ns1 imapd[11996]: refused connect from 63.145.81.31
> > Aug 29 04:21:16 ns1 imapd[11997]: refused connect from 63.145.81.31
> > Aug 29 04:21:16 ns1 in.telnetd[11998]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:16 ns1 in.telnetd[11999]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:16 ns1 in.telnetd[12000]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:16 ns1 in.telnetd[12001]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:16 ns1 in.telnetd[12002]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:16 ns1 in.telnetd[12003]: refused connect from
> > 63.145.81.31
> > Aug 29 04:21:19 ns1 in.telnetd[12004]: refused connect from
> > 63.145.81.31
> > 
> > 
> > Not one of my IP's. Don't know anybody using any IP on that network.
> > Any suggestions o how to handle this? It's my first attempt at being
> > hacked. I have him blocked with wrappers after a telnet attempt a few
> > days ago that I thought looked funny. So for now I think I'm ok. I have
> > checked me logs and verified nothing has changed on the system. So
> > entry wasn't made. Still the attempt is bugging me.
> >  
> > - -----
> > Scott Kindley
> > 
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGP 6.5.2
> > 
> > iQA/AwUBOav+xdWX5RP8v4x6EQJz1ACg6Nfqhv9GFc+XjLBXgFc4+nh4UqUAnidp
> > SCLYRw1deJdSu6VUI4Y4TxEQ
> > =kYu/
> > -----END PGP SIGNATURE-----
> > 
> > 
> > 
> > _______________________________________________
> > Redhat-list mailing list
> > Redhat-list redhat com
> > https://listman.redhat.com/mailman/listinfo/redhat-list
> > 
> 
> 
> 
> _______________________________________________
> Redhat-list mailing list
> Redhat-list redhat com
> https://listman.redhat.com/mailman/listinfo/redhat-list





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]