[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[no subject]
- <!--x-content-type: text/plain -->
- <!--x-date: Wed Mar 17 23:50:24 2004 -->
- <!--x-from-r13: wnzrf ng fhzaref.ngu.pk (Xnzrf Ehzaref) -->
- <!--x-message-id: [email protected] -->
- <!--x-reference: [email protected] -->
- <!--x-reference: 01f601c40ca2$231e7390$0700a8c0@nick --> "http://www.w3.org/TR/html4/loose.dtd">
- <!--x-subject: [ale] Error messages -->
- <li><em>date</em>: Wed Mar 17 23:50:24 2004</li>
- <li><em>from</em>: james at sumners.ath.cx (James Sumners)</li>
- <li><em>in-reply-to</em>: <01f601c40ca2$231e7390$0700a8c0@nick></li>
- <li><em>references</em>: <<a href="msg00651.html">[email protected]</a>> <01f601c40ca2$231e7390$0700a8c0@nick></li>
- <li><em>subject</em>: [ale] Error messages</li>
On Wed, 17 Mar 2004 23:33:17 -0500
"Nick Travis" <lists at wormfishin.com> wrote:
> Now that I've been comprimised, is my only safe option to reinstall? I
> assume something else could have been hidden somewhere for future use?
>
> Nick
>
> ----- Original Message -----
> From: "Stephan Uphoff" <ups at tree.com>
> To: "Atlanta Linux Enthusiasts" <ale at ale.org>
> Sent: Wednesday, March 17, 2004 7:17 PM
> Subject: Re: [ale] Error messages
>
>
> >
> > Time to re-install from scratch.
> > Looks like a rpc.statd exploit.
> > Is this a Redhat 6.2 system or older ?
> > ( <a rel="nofollow" href="http://www.securityfocus.com/bid/1480";>http://www.securityfocus.com/bid/1480</a> )
> >
> > Use a firewall !
> >
> > Stephan
> >
> > Nick Travis wrote:
> > > I got an email from my ISP today saying that they think I have a virus
> on my
> > > network, The public IP address that they saw the traffic on is a linux
> > > webserver(running red hat), I checked out my /var/log/messages and this
> is
> > > what I found:
> > > Mar 15 04:02:00 web anacron[3212]: Updated timestamp for job
> `cron.daily' to
> > > 2004-03-15
> > > Mar 16 04:02:01 web anacron[3732]: Updated timestamp for job
> `cron.daily' to
> > > 2004-03-16
> > > Mar 16 06:09:49 web rpc.statd[362]: gethostbyname error for
> > > ^X???^X???^Y???^Y???^Z???^Z???^[???^[???bffff750 8049710 8052c1868746567
> > > 6274736f6d616e797265206520726f7220726f66
> > >
> > > bffff718
> > > bffff719 bffff71a
> > >
> > > bffff71b~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> > >
> P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> > > P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> > >
> P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> > > P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> > >
> P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> > > P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> > >
> P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~
> > > P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P~P
> > > Mar 16 06:51:26 web kernel: linsniffer uses obsolete
> (PF_INET,SOCK_PACKET)
> > > Mar 16 06:51:26 web kernel: eth0: Promiscuous mode enabled.
> > > Mar 16 06:51:26 web kernel: device eth0 entered promiscuous mode
> > > Mar 16 09:37:37 web kernel: neighbour table overflow
> > > Mar 16 09:37:37 web last message repeated 9 times
> > > Mar 16 09:38:37 web kernel: NET: 253 messages suppressed.
> > > Mar 16 09:38:37 web kernel: neighbour table overflow
> > > Mar 16 09:38:39 web last message repeated 9 times
> > > Mar 16 09:38:45 web kernel: NET: 220 messages suppressed.
> > > Mar 16 09:38:45 web kernel: neighbour table overflow
> > > Mar 16 09:38:47 web kernel: NET: 962 messages suppressed.
> > > Mar 16 09:38:47 web kernel: neighbour table overflow
> > > Mar 16 09:38:52 web kernel: NET: 3353 messages suppressed.
> > > Mar 16 09:38:52 web kernel: neighbour table overflow
> > > Mar 16 09:38:57 web kernel: NET: 3638 messages suppressed.
> > > Mar 16 09:38:57 web kernel: neighbour table overflow
> > > Mar 16 09:39:02 web kernel: NET: 3482 messages suppressed.
> > > Mar 16 09:39:02 web kernel: neighbour table overflow
> > > Mar 16 09:39:07 web kernel: NET: 3524 messages suppressed.
> > > Mar 16 09:39:07 web kernel: neighbour table overflow
> > > Mar 16 09:39:12 web kernel: NET: 3526 messages suppressed.
> > > Mar 16 09:39:12 web kernel: neighbour table overflow
> > > Mar 16 09:39:17 web kernel: NET: 3525 messages suppressed.
> > >
> > > I continued getting these messages every 5 seconds until 3:30pm on the
> 16th
> > > and it suddenly stopped. Has anyone seen this before? According to the
> log
> > > file the last time someone logged in was the 14th, which was me, and I'm
> the
> > > only one with access to the system. My ISP gave me the following log:
> > >
> > > Time Zone: UTC
> > >
> > > Event Date Time, Destination IP, IP Protocol, Target Port, Issue
> > > Description, Source Port, Event Count
> > >
> > > EventRecord: 16 Mar 2004 20:01:47, 10.1.x.x, 6, 111, RPC Exploits, 3990,
> 1
> > >
> > > EventRecord: 16 Mar 2004 19:59:28, 69.162.x.x, 6, 111, RPC Exploits,
> 4699, 1
> > >
> > > EventRecord: 16 Mar 2004 19:57:50, 69.162.x.x, 6, 111, RPC Exploits,
> 4766, 1
> > >
> > > EventRecord: 16 Mar 2004 19:26:16, 69.140.x.x, 6, 111, RPC Exploits,
> 4730, 1
> > >
> > > EventRecord: 16 Mar 2004 18:05:04, 69.81.x.x, 6, 111, RPC Exploits,
> 3428, 1
> > >
> > > EventRecord: 16 Mar 2004 16:53:43, 69.40.x.x, 6, 111, RPC Exploits,
> 3267, 1
> > >
> > > EventRecord: 16 Mar 2004 15:19:00, 69.22.x.x, 6, 111, RPC Exploits,
> 3433, 1
> > >
> > > Any thoughts would be greatly appriciated.
> > >
> > >
> > >
> > > Nick
> >
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
> >
>
>
>
> --
> This message has been scanned for viruses and
> dangerous content by MailScanner, and is
> believed to be clean.
> If you have any questions please contact nick at precisionmillworks.com
> Mailscanner thanks transtec Computers for their support.
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> <a rel="nofollow" href="http://www.ale.org/mailman/listinfo/ale";>http://www.ale.org/mailman/listinfo/ale</a>
--
I used to be interested in Windows NT, but the more I see of it the more it
looks like traditional Windows with a stabler kernel. I don't find anything
technically interesting there. In my opinion MS is a lot better at making money
than it is at making good operating systems. -- Linus Torvalds
</pre>
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<hr>
<!--X-Follow-Ups-End-->
<!--X-References-->
<ul><li><strong>References</strong>:
<ul>
<li><strong><a name="00651" href="msg00651.html">[ale] Error messages</a></strong>
<ul><li><em>From:</em> ups at tree.com (Stephan Uphoff)</li></ul></li>
<li><strong><a name="00653" href="msg00653.html">[ale] Error messages</a></strong>
<ul><li><em>From:</em> lists at wormfishin.com (Nick Travis)</li></ul></li>
</ul></li></ul>
<!--X-References-End-->
<!--X-BotPNI-->
<ul>
<li>Prev by Date:
<strong><a href="msg00653.html">[ale] Error messages</a></strong>
</li>
<li>Next by Date:
<strong><a href="msg00657.html">[ale] [OT] Writing a parser</a></strong>
</li>
<li>Previous by thread:
<strong><a href="msg00653.html">[ale] Error messages</a></strong>
</li>
<li>Next by thread:
<strong><a href="msg00658.html">[ale] Error messages</a></strong>
</li>
<li>Index(es):
<ul>
<li><a href="maillist.html#00654"><strong>Date</strong></a></li>
<li><a href="threads.html#00654"><strong>Thread</strong></a></li>
</ul>
</li>
</ul>
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->
</body>
</html>