Re: [Re: interesting attempt at intrusion] case solved!

[jlewis () LEWIS ORG (Jon Lewis)]

On Thu, 30 Dec 1999, Anonymous wrote:

> Before I sit down and start spooning up this large plate of crow, let me
> confess that for the past week and a half a youth in a different state
> has been trying repeatedly to overflow my telnetd.  The best I have seen
> so far was this entry:
>
> Dec 21 22:18:37 noc telnetd[4269]: ttloop:  peer died: Invalid or
> incomplete multibyte or wide character

If you don't know the IP these are coming from yet, you can use
ipfwadm/ipchains to log syns coming from "external" addresses to whatever
ports you're concerned with.  That way, no matter how quickly they
terminate the connection, you will see where they came from.  I did this
long ago to track down and filter some people attacking (crashing) inetd
on an IRC server.

----------------------------------------------------------------------
 Jon Lewis *jlewis () lewis org*|  Spammers will be winnuked or
 System Administrator        |  nestea'd...whatever it takes
 Atlantic Net                |  to get the job done.
_________http://www.lewis.org/~jlewis/pgp for PGP public key__________