[techtalk] Should I feel honored?

Fri Apr 20 16:58:09 EST 2001

> Apparently, my web server has been attacked repeatedly and if the IP
> is true (If I am reading it right, maybe it is just mumbo jumbo I'm
> misinterpreting), it is coming from USC. Here is the log:

This is an attempt to attack rpc.statd. The attack failed or you wouldn't
be seeing it. Congratulations, you've passed the test ;o)

> Apr 18 15:25:08 hwnet /sbin/rpc.statd[177]: gethostbyname error for ^X\xf7\xff\xbf^X\xf7\xff\xbf^Y\xf7\xff\xbf^Y\xf7\xff\xbf^Z\xf7\xff\xbf^Z\xf7\xff\xbf^[\xf7
> \xff\xbf^[\xf7\xff\xbf%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2

<snip>

> Now, if I am not reading too much into it, I clearly see the IP
> "236x%n%137x%n%10x%n%192".  Does that mean 236.137.10.192?

I don't think so. Every time I get this attack, I get that series of
numbers in that spot (and I get attacked a LOT).

The way I have found the IP is by running snort so the person is grabbed
by snort when the attack is made. Then I look up the IP, ping it,
traceroute it, dig it, nslookup it, check it on netcraft.com/whats to see
if it's running an HTTPd, check the website, e-mail root.

Often the people running the server, as far as I can tell, have NO idea
and I bet they were rooted by a rootkit and are being inadvertantly used
to root others.

> Could it be a spoofed address?  A compromised machine doing the
> scanning?  Some script kiddy kid sitting in his dorm room?

Yes :o)

> What is my course of action now?  My main page hasn't been defaced
> with pictures of someones grandma in compromising poses, so I guess
> that is a good first sign the attack didn't work?  Or did it work and
> my machine has been compromised and is now being used for DDoS or a
> w4r3z britney spears mp3 porn server?

Nope, the attack didn't work, good for you :o)

Try installing a tool like snort to see if it detects the source IP as it
happens. This is the only way I was able to do it.

> I will notify the sysadmin of my school district (I'm a student) of
> this of course.
> 
> If that IP is true, should I be contacting a USC sysadmin?  I would
> feel especially responsible if it was some poor sysadmin's compromised
> machine at another school.

Like I said, often it could. I have had zero responses from e-mails I have
sent to ISPs and boxes (at universities, at corporate computers, personal
boxes) in response to attacks. 

-nicole