[H-GEN] strobe

[Rob Kearey]

(Note reply-to: being general at humbug.org.au vs Rob Kearey <r.kearey at mailbox.uq.edu.au>)

Robert Brockway wrote:

> Hi all.  Quentin and I have identified that various machines in the
> humbug.org.au domain were strobed from the machine dns.cni.co.jp at
> approximately 11:18am on 20/4/99 AEST.
> 
> Could others check there logs and see how widely we were strobed.
> 
> dns.cni.co.jp is a Linux box running 2.0.33, and looks pretty insecure.
> Quentin suggests it may have been hacked, and I tend to agree.
> Cheers,

Have you informed AUSCERT? They'd be interested in this, if only for
data gathering purposes.

While I'm here, I might as well say that I'm using isinglas, the
ipchains scripting tool to set up my personal firewall. It's logging
stuff like mad, along the lines of:

Apr 21 09:21:13 ningaui kernel: Packet log: inp DENY eth0 PROTO=17
130.102.128.3
0:520 130.102.128.255:520 L=532 S=0x00 I=13147 F=0x0000 T=1 
Apr 21 09:21:13 ningaui kernel: Packet log: inp DENY eth0 PROTO=17
130.102.128.3
0:520 130.102.128.255:520 L=312 S=0x00 I=13148 F=0x0000 T=1 
Apr 21 09:21:15 ningaui kernel: Packet log: inp DENY eth0 PROTO=17
130.102.128.5
9:123 130.102.128.255:123 L=76 S=0x00 I=45254 F=0x0000 T=30 
Apr 21 09:21:17 ningaui kernel: Packet log: inp DENY eth0 PROTO=17
203.22.86.100
:123 130.102.128.255:123 L=76 S=0x00 I=44535 F=0x4000 T=253 

... which is most annoying. Can anybody see what it is that I've
misconfigured?

>         -Robert

-- 
Robert Kearey           Network Services        
ITS                     University of Queensland
Post No Gravy           I don't speak for my employer

--
This is list (humbug) general handled by majordomo at lists.humbug.org.au .
Postings only from subscribed addresses of lists general or general-post.