[techtalk] Should I feel honored?

Kath ranger at optonline.net
Fri Apr 20 21:57:55 EST 2001 

Are you familiar with snort?  I'm having some problems setting it up.

- Kath

----- Original Message -----
From: "Nicole Zimmerman" <colby at wsu.edu>
To: <techtalk at linuxchix.org>
Sent: Friday, April 20, 2001 7:58 PM
Subject: Re: [techtalk] Should I feel honored?


> > Apparently, my web server has been attacked repeatedly and if the IP
> > is true (If I am reading it right, maybe it is just mumbo jumbo I'm
> > misinterpreting), it is coming from USC. Here is the log:
>
> This is an attempt to attack rpc.statd. The attack failed or you wouldn't
> be seeing it. Congratulations, you've passed the test ;o)
>
> > Apr 18 15:25:08 hwnet /sbin/rpc.statd[177]: gethostbyname error for
^X\xf7\xff\xbf^X\xf7\xff\xbf^Y\xf7\xff\xbf^Y\xf7\xff\xbf^Z\xf7\xff\xbf^Z\xf7
\xff\xbf^[\xf7
> >
\xff\xbf^[\xf7\xff\xbf%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n
\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
\220\2
>
> <snip>
>
> > Now, if I am not reading too much into it, I clearly see the IP
> > "236x%n%137x%n%10x%n%192".  Does that mean 236.137.10.192?
>
> I don't think so. Every time I get this attack, I get that series of
> numbers in that spot (and I get attacked a LOT).
>
> The way I have found the IP is by running snort so the person is grabbed
> by snort when the attack is made. Then I look up the IP, ping it,
> traceroute it, dig it, nslookup it, check it on netcraft.com/whats to see
> if it's running an HTTPd, check the website, e-mail root.
>
> Often the people running the server, as far as I can tell, have NO idea
> and I bet they were rooted by a rootkit and are being inadvertantly used
> to root others.
>
> > Could it be a spoofed address?  A compromised machine doing the
> > scanning?  Some script kiddy kid sitting in his dorm room?
>
> Yes :o)
>
> > What is my course of action now?  My main page hasn't been defaced
> > with pictures of someones grandma in compromising poses, so I guess
> > that is a good first sign the attack didn't work?  Or did it work and
> > my machine has been compromised and is now being used for DDoS or a
> > w4r3z britney spears mp3 porn server?
>
> Nope, the attack didn't work, good for you :o)
>
> Try installing a tool like snort to see if it detects the source IP as it
> happens. This is the only way I was able to do it.
>
> > I will notify the sysadmin of my school district (I'm a student) of
> > this of course.
> >
> > If that IP is true, should I be contacting a USC sysadmin?  I would
> > feel especially responsible if it was some poor sysadmin's compromised
> > machine at another school.
>
> Like I said, often it could. I have had zero responses from e-mails I have
> sent to ISPs and boxes (at universities, at corporate computers, personal
> boxes) in response to attacks.
>
> -nicole
>
>
> _______________________________________________
> techtalk mailing list
> techtalk at linuxchix.org
> http://www.linux.org.uk/mailman/listinfo/techtalk
>

More information about the Techtalk mailing list