[1951] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] tcpd anomaly

daemon@ATHENA.MIT.EDU (Pluto)
Thu Jul 2 02:30:29 1998

Date: Wed, 1 Jul 1998 21:59:07 +0200 (CEST)
From: Pluto <pluto@pizzaservice.de>
Reply-To: pluto@pizzaservice.de
To: Linux Security <linux-security@redhat.com>
In-Reply-To: <199807010231.EAA18365@iconnect.de>
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com

  Salve,

  I'm protecting hades with the tcpd wrappers and had no problems so far,
at least none that I noticed.

  Today happend something strange. An attacker got a connect on a
protected port from a not allowed IP:

> Unusual System Events
> =-=-=-=-=-=-=-=-=-=-=
  BTW, thanks for that tool.

> Jul 1 03:34:56 hades in.null[18321]: twist
> slip139-92-93-124.hol.ch.ibm.net to perl /usr/sbin/get_em.pl
> 139.92.93.124 unknown slip139-92-93-124.hol.ch.ibm.net in.null 2>>
> /var/log/get_em_err

  This is OK and has happend a dozen times a week in the last year. He
comes from ch.ibm.net where only de.ibm.net is allowed and is routed to a
little homegrown script that logs some stuff like traceroute and finger.

> Jul 1 03:35:00 hades in.null[18324]: twist
> slip139-92-93-124.hol.ch.ibm.net to perl /usr/sbin/get_em.pl
> 139.92.93.124 unknown slip139-92-93-124.hol.ch.ibm.net in.null 2>>
> /var/log/get_em_err

  And again, still OK.

> Jul 1 03:35:05 hades in.telnetd[18327]: connect from
> slip139-92-93-124.hol.ch.ibm.net

  But now that! Hasn't happend before and I think the fast reconnects
after 4-5 sec. are on purpose, nobody has done this like that before and I
got a lot more of this in the logfiles.
  Seems like tcpd is still busy with the last two scripts and doesn't even
look at the connect. Or do I miss something? Have the scripts have to have
a '&' at the end of the line to prevent it? Or is it a bug of the tcpd
wrappers?

  Yours troubled

  Pluto  -  SysAdmin of Hades
  We are NSA, your mail will be scrutinzed, resistance is futile! =:-)
  Key fingerprint: 1F 3F EA 94 D0 56 A6 86  4D 19 C4 56 6C F9 43 44

Boren's Laws:
	(1) When in charge, ponder.
	(2) When in trouble, delegate.
	(3) When in doubt, mumble.

-- 
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------

To unsubscribe:
  mail -s unsubscribe linux-security-request@redhat.com < /dev/null


home help back first fref pref prev next nref lref last post