Thanks to: "Mollie Tucker" <mollie@cs.colgate.edu> James Coby <james.coby@veritas.com> scb1 <scb1@erols.com> Matt Robbins <mrobbins@bwctc.northants.sch.uk> Patricio Mora <pmora@cjap.junta-andalucia.es> Gary Mulder <gary@cgen.com> and many more coming. Summary: - 1) Summary from Patricio Mora: "Carsten B. Knudsen" <cbk@superusers.dk> Casper.Dik@Sun.COM As Carsten said: "Sounds like a bufer overflow type of attack. bsd-gw is part of the print system." It is indeed that hackers are scanning the TCP port 515 which in.lpd daemon listens. I have therafter turned tcp_wrapper on this port, so that all the incoming traffic on this port will be blocked and recorded. Immediately after I have done that, the system displays the hacker's identity! Apr 3 10:26:33 ete09-f.icase.edu in.lpd[12766]: refused connect from 200.39.115.74 Apr 3 10:26:34 ete09-f.icase.edu in.lpd[12767]: warning: can't verify hostname: gethostbyname(alfonso-ayala10.psi.net.mx) failed which means we are still under attacking! So I urge all of you to block this port as soon as you can. I also want everybody know the location of the hacker. Today is from 200.39.115.74 and yesterday we got the hacker's IP is 209.203.105.105 which belongs to GST Telecom, Inc. (NETBLK-GST-NET-4) 4317 NE Thurston Way Vancouver, WA 98662 US Netname: GST-NET-4 Netblock: 209.203.64.0 - 209.203.127.255 Maintainer: GSTD Coordinator: GST Telecom, Inc. (NE-ORG-ARIN) ipadmin@gstis.net 503.416.1926 2) Mailing list archive: http://marc.theaimsgroup.com/?l=sun-managers 3) "I think it is the Lion Worm sniffing your Sun box - If you are not running Linux - then I wouldn't worry." 4) "For me it meant a major tightening of security i.e. Going through /etc/inetd.conf and getting rid of everything we didn't use (it was a new box and I hadn't caught up yet)." 5) Use TCP Warppers to log where the cracker is coming from." I would definitely use the tacp wrapper to log the cracker. Thanks for all the replies. Regards ALan -------- Original Message -------- Subject: Suspected Break-in trial Date: Fri, 20 Apr 2001 00:06:57 +0800 From: Alan Kong <kkkong@ee.cuhk.edu.hk> Organization: The Chinese University of Hong Kong To: sunmanagers@sunmanagers.org Dear Managers, We have captured the following messages in our /var/adm/messages: Apr 4 09:05:21 sun1 bsd-gw[4506]: Invalid protocol request (66): BBB XXXXXXXXXXXXXXXXXX%.96u%300$n%.93u%301$n%.253u%302$n%.192u%303$n111F1 f1C]C]KMM1ECf]fE'MEEEMCCC1?A^u1FEMU/ bin/sh Apr 4 09:05:22 sun1 bsd-gw[4508]: Invalid protocol request (66): BBB XXXXXXXXXXXXXXXXXX%.88u%300$n%.101u%301$n%.253u%302$n%.192u%303$n111F1f 1C]C]KMM1ECf]fE'MEEEMCCC1?A^u1FEMU/bin /sh Apr 4 09:05:22 sun1 bsd-gw[4507]: Invalid protocol request (66): BBB XXXXXXXXXXXXXXXXXX%.92u%300$n%.97u%301$n%.253u%302$n%.192u%303$n111F1f 1C]C]KMM1ECf]fE'MEEEMCCC1?A^u1FEMU/bin/ sh Apr 4 09:05:23 sun1 bsd-gw[4509]: Invalid protocol request (66): BBB XXXXXXXXXXXXXXXXXX%.84u%300$n%.105u%301$n%.253u%302$n%.192u%303$n111F1f 1C]C]KMM1ECf]fE'MEEEMCCC1?A^u1FEMU/bin /sh And a while back someone reported a similar case and posted a summary which I have lost. Wonder you oculd kindly re-send a copy of the summary. I want to trace the originator. Thanks. Regards ALan _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Mon Apr 23 02:34:02 2001
This archive was generated by hypermail 2.1.8 : Wed Mar 23 2016 - 16:24:53 EDT