[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: under attack :-)
- To: <solomon(at-nospam)barak-online.net>
- Subject: Re: under attack :-)
- From: Tzafrir Cohen <tzafrir(at-nospam)technion.ac.il>
- Date: Wed, 26 Sep 2001 12:52:22 +0200 (IST)
- Cc: <linux-il(at-nospam)cs.huji.ac.il>
- In-Reply-To: <XFMail.20010926115246.solomon@barak-online.net>
- Sender: linux-il-bounce(at-nospam)cs.huji.ac.il
On Wed, 26 Sep 2001 solomon@barak-online.net wrote:
> For the last few days, I've had hundreds of entries like the following in
> /var/log/syslog. I'm not really worried because my firewall seems to be
> rejecting everything, but I am curious if anyone knows what this is. The SRC=
> changes, but otherwise the attack seems to be the same all the time. I tried
> traceroute, whois, and nslookup and found the attack seems to be coming from
> many locations - mostly in the US, but also from other places (like Australia).
>
> Just in the past 6 hours, I counted 590 lines like this in the log.
>
> BTW, I looked at the list archives and Google and found similar but not exactly
> the same log entries.
>
> TIA
>
> //----------from /var/log/syslog --------//
>
> Sep 26 11:07:44 shlomo1 kernel: TCP Rejected IN=ppp0 OUT= MAC=
> SRC=61.147.15.111 DST=192.117.204.140 LEN=48 TOS=0x00 PREC=0x00 TTL=104
> ID=52540 DF PROTO=TCP SPT=2399 DPT=80 WINDOW=8760 RES=0x00 SYN URGP=0
>
> Sep 26 11:07:49 shlomo1 kernel: TCP Rejected IN=ppp0 OUT= MAC=
> SRC=61.147.15.111 DST=192.117.204.140 LEN=48 TOS=0x00 PREC=0x00 TTL=104
> ID=53164 DF PROTO=TCP SPT=2399 DPT=80 WINDOW=8760 RES=0x00 SYN URGP=0
>
> Sep 26 11:10:00 shlomo1 CROND[12978]: (root) CMD ( /sbin/rmmod -as)
>
> Sep 26 11:11:02 shlomo1 pppd[12033]: rcvd [LCP EchoReq id=0x44 magic=0x26efc424]
>
> Sep 26 11:11:02 shlomo1 pppd[12033]: sent [LCP EchoRep id=0x44 magic=0xf57144b8]
>
> Sep 26 11:12:07 shlomo1 kernel: TCP Rejected IN=ppp0 OUT= MAC=
> SRC=208.134.20.15 DST=192.117.204.140 LEN=44 TOS=0x00 PREC=0x00 TTL=108
> ID=32631 DF PROTO=TCP SPT=31529 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
>
> Sep 26 11:12:10 shlomo1 kernel: TCP Rejected IN=ppp0 OUT= MAC=
> SRC=208.134.20.15 DST=192.117.204.140 LEN=44 TOS=0x00 PREC=0x00 TTL=108
> ID=22907 DF PROTO=TCP SPT=31529 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
>
> Sep 26 11:12:19 shlomo1 kernel: TCP Rejected IN=ppp0 OUT= MAC=
> SRC=212.150.113.154 DST=192.117.204.140 LEN=48 TOS=0x00 PREC=0x00 TTL=120
> ID=14013 DF PROTO=TCP SPT=2198 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
>
> Sep 26 11:12:22 shlomo1 kernel: TCP RejectedIN=ppp0 OUT= MAC=
> SRC=212.150.113.154 DST=192.117.204.140 LEN=48 TOS=0x00 PREC=0x00 TTL=120
> ID=14261 DF PROTO=TCP SPT=2198 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0
Let's set, this is a computer connecting to port 80 of all sorts of
people. Soes it run a web server?
$ telnet 212.150.113.154 80
Trying 212.150.113.154...
Connected to 212.150.113.154.
Escape character is '^]'.
GET / HTTP/1.0
HTTP/1.1 200 Ok
Server: Microsoft-IIS/5.0
Date: Wed, 26 Sep 2001 11:42:38 GMT
Content-Type: text/html
<head><title>192.168.0.121 - /</title></head><body><H1>192.168.0.121 -
/</H1><hr
>
<pre> יום רביעי 07 מרץ 2001 18:15 <dir> <A
HREF="/palm/">
palm</A><br> יום ראשון 22 יולי 2001 20:23 <dir> <A
HREF="/
palmnew/">palmnew</A><br></pre><hr></body>Connection closed by foreign
host.
So is it nimda or code-red?
A couple of minutes ago the 404 error message included a javascript that
loads readme.eml (read: nimda). Now it doesn't, so maybe the server owner
has finally figured this out. Maybe...
--
Tzafrir Cohen
mailto:tzafrir@technion.ac.il
http://www.technion.ac.il/~tzafrir
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il