Security Incidents mailing list archives
Probe from NS2.SOHONET.COM
From: jonkeim () PHOENIX PRINCETON EDU (Jonathan S. Keim)
Date: Sat, 8 Jan 2000 11:24:49 -0500
hello, i got this little probe last night from a machine at 208.215.131.24, which turns out to be: Name: NS2.SOHONET.COM Address: 208.215.131.24 it looks like someone has compromised this machine and is scanning the princeton network with it. most likely it's the result of a bind exploit, thanks to our friends at ADM. look for the directory /var/named/ADMROCKS, or some variant, and that will *generally* tell you if the intruder entered via bind. i've enclosed the relevant log entries from linux 2.2.x ipchains for your convenience. if you could look into this problem, i'd be very appreciative. good luck catching the script kiddie. jon relevant entry ---------------- Jan 8 09:32:24 law kernel: Packet log: input DENY eth0 PROTO=17 208.215.131.24:2583 140.180.145.238:53 L=55 S=0x00 I=64066 F=0x0000 T=52 (#16)
Current thread:
- Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Thomas E. Ruth (Jan 06)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Jeffrey Papen (Jan 07)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Thomas E. Ruth (Jan 07)
- <Possible follow-ups>
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Maniac . (Jan 07)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Thomas E. Ruth (Jan 07)
- Cable modem hosts being exploited to spam. TCP ports 224, 253 Aaron Higbee (Jan 07)
- Probe from NS2.SOHONET.COM Jonathan S. Keim (Jan 08)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Missouri FreeNet Administration (Jan 10)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Thomas Molina (Jan 11)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Andrew Kunz (Jan 11)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Thomas E. Ruth (Jan 07)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Andy David (Jan 10)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Maniac . (Jan 11)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Maniac . (Jan 11)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Al Huger - Mail Account (Jan 14)