[H-GEN] FTP login by wtmp?
Martin Pool
martinp at mincom.com
Tue Aug 17 20:31:09 EDT 1999
[ Humbug *General* list - semi-serious discussions about Humbug and
Unix-related topics. ]
>Hehe...the 8 second hack sounded pretty cool (if it is real, that is).
It sounds pretty plausible,
>>Fortunately, they only ran the script on the ftp xferlog, and did not
>bother
>>with the system log or with the ippl log, so we have a complete audit trail
>>of their access attempts. Which leads me to believe that the attacker(s)
>was
>>only a scriptkiddy.
Or they didn't care enough to edit them.
>What if they were relaying through that machine, rather than originating
>from it?
>
>Yeah, considered that, however the originating IP addresses seem very much
>like terminal server addresses, vis:
>
>Aug 16 06:22:28 port 40000 connection attempt from p48-max4.chc.ihug.co.nz
>[207.214.13.175] (207.214.13.175:37188->139.130.67.107:40000)
>Aug 16 14:23:31 ICMP message type echo reply from p79-max16.chc.ihug.co.nz
>[216.100.148.83] (216.100.148.83->203.108.63.250)
Sure, probably the address is a dialup at ihug.co.nz. But what if the
machine connected to that port was itself compromised and forwarding
packets to you from somewhere else? For example, suppose it's a Unix
machine that was compromised by the same attack; or a wingate box in
promiscuous IP-forwarding mode.
>Redhat seem to be a bit slow with
>releasing updates, and if you just get binary rpms, you can't verify
>problems my looking a the source.
Try OpenBSD <0.5 wink>.
--
Martin
--
/\\\ Mincom | Martin Pool | martinp at mincom.com
// \\\ | Software Engineer | Phone: +61 7 3303-3333
\\ /// | Mincom Ltd. |
\/// | Teneriffe, Brisbane | Speaking for myself only
--
This is list (humbug) general handled by majordomo at lists.humbug.org.au .
Postings only from subscribed addresses of lists general or general-post.
More information about the General
mailing list