From owner-freebsd-security Sat Jun 10 8:20:53 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 3268E37B8AE for ; Sat, 10 Jun 2000 08:20:48 -0700 (PDT) (envelope-from robert@fledge.watson.org) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id LAA04520; Sat, 10 Jun 2000 11:20:28 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Sat, 10 Jun 2000 11:20:28 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Darren Reed Cc: security@freebsd.org Subject: Re: cybercop scan from 202.106.149.47 In-Reply-To: <200006100414.OAA04399@avalon.reed.wattle.id.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, 10 Jun 2000, Darren Reed wrote: > did anyone else get that syslog message ? NAI's vulnerability scanner, CyberCop, will notify the machine being scanned that the scanning is occurring. When doing so, it chooses a level of emerg, resulting in syslogd sending the message to all users. In recent versions of FreeBSD, I believe the default arguments to syslogd cause it to ignore network-sourced syslog packets (-s?). For whatever reason, freefall's /etc has not been updated to do that. It sounds like someone grabbed a copy of CyberCop and is using it to scan for potential targets, not knowing that it causes bright lights to flash :-). There should also be lots of other evidence of the scan in the system logs. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message