From owner-freebsd-questions  Fri Jan 17  6:42:47 2003
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id AD26C37B401
	for <FreeBSD-questions@freebsd.org>; Fri, 17 Jan 2003 06:42:45 -0800 (PST)
Received: from mailout07.sul.t-online.com (mailout07.sul.t-online.com [194.25.134.83])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 05D1F43F5B
	for <FreeBSD-questions@freebsd.org>; Fri, 17 Jan 2003 06:42:45 -0800 (PST)
	(envelope-from 520023893678-0001@t-online.de)
Received: from fwd02.sul.t-online.de 
	by mailout07.sul.t-online.com with smtp 
	id 18ZXhg-0001pd-0S; Fri, 17 Jan 2003 15:42:40 +0100
Received: from pD950C7CC.dip.t-dialin.net (520023893678-0001@[217.80.199.204]) by fwd02.sul.t-online.com
	with esmtp id 18ZXhX-1uxZnEC; Fri, 17 Jan 2003 15:42:31 +0100
Date: Fri, 17 Jan 2003 15:42:10 +0000 (GMT)
From: 520023893678-0001@t-online.de (P. U. Kruppa)
To: Jim Freeze <jim@freeze.org>
Cc: FreeBSD Questions <FreeBSD-questions@FreeBSD.ORG>
Subject: Re: Possible attack?
In-Reply-To: <20030117093453.A9304@freeze.org>
Message-ID: <20030117153728.C34734@small.pukruppa.de>
References: <20030117093453.A9304@freeze.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Sender: 520023893678-0001@t-dialin.net
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

On Fri, 17 Jan 2003, Jim Freeze wrote:

> Hi:
>
> I got an interesting log report today.
> Has anyone seen such messages lately?
>
> Jan 14 12:59:52 rabbit /kernel: ipfw: limit 100 reached on entry 64000
> Jan 14 17:39:13 rabbit ftpd[1502]: ANONYMOUS FTP LOGIN REFUSED FROM
>   p5089A961.dip.t-dialin.net
> Jan 14 17:39:13 rabbit ftpd[1503]: ANONYMOUS FTP LOGIN REFUSED FROM
>   p5089A961.dip.t-dialin.net
> Jan 15 12:15:21 rabbit sm-mta[3937]: h0FHFIJI003936: Truncated MIME
>   Content-Disposition header due to
>  field size (length = 25) (possible attack)
> Jan 15 17:33:03 rabbit ftpd[4434]: ANONYMOUS FTP LOGIN REFUSED FROM
>  pD9E60C0F.dip.t-dialin.net
> Jan 15 17:33:04 rabbit ftpd[4435]: ANONYMOUS FTP LOGIN REFUSED FROM
>  pD9E60C0F.dip.t-dialin.net
> Jan 15 23:59:48 rabbit sm-mta[5210]: h0G4xkJI005209: Truncated MIME
>  Content-Disposition header due to
>   field size (length = 22) (possible attack)
Now, I don't know if this is something serious, but I can tell
you the "attacker" is a client of the german Telekom. Since you
know the exact date and time of these events and Telekom has her
own logs, he can be identified, if something serious happens.

Uli.

>
>
>
> --
> Jim Freeze
> ----------
> "It's not Camelot, but it's not Cleveland, either."
> 		-- Kevin White, mayor of Boston
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-questions" in the body of the message
>

*-----------------------------------*
*        Peter Ulrich Kruppa        *
*          -  Wuppertal -           *
*              Germany              *
*-----------------------------------*

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message