Date: Tue, 18 May 1999 08:50:43 -0400 From: Keith Stevenson <k.stevenson@louisville.edu> To: freebsd-security@freebsd.org Subject: Re: Interesting Attack Message-ID: <19990518085043.A6970@homer.louisville.edu> In-Reply-To: <Pine.OSF.4.10.9905180915360.6232-100000@bragg>; from Kris Kennaway on Tue, May 18, 1999 at 09:19:18AM %2B0930 References: <xzpr9ofqsk1.fsf@localhost.ping.uio.no> <Pine.OSF.4.10.9905180915360.6232-100000@bragg>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, May 18, 1999 at 09:19:18AM +0930, Kris Kennaway wrote: > > I was getting hundreds of similar packets per day here a few weeks ago, almost > all from different sites, all from spoofed source addresses, to a nonexistent > IP address and on an unobtrusive port number (1584) but the common thread was > that all of the source hosts were running an IRC daemon. I never did find out > conclusively what it was, but my guess is that someone was using my source > address to spoof packets from, and I was seeing reverse probes by the IRC > server. > > It all stopped when I turned on IP unreachables on my firewall.. We just had a Linux box fall victim to the WuFTPD/realpath(3) exploit. The cracker installed a slew of IRC tools, a sniffer, and a scanner which behaved very similarly to what you described. Thankfully it was on a switched network which limited the damage done by the sniffer, and the script-kiddie who broke in neglected to install the trojans included in his root-kit. This made the ircd very easy to find once the Linux-user noticed that his system load was awfully high. Anyway, since this thing had "root-kit" written all over it, it wouldn't surprise me in the slightest if there are lots of broken linux boxen on the internet running these scans. Regards, --Keith Stevenson-- -- Keith Stevenson System Programmer - Data Center Services - University of Louisville k.stevenson@louisville.edu PGP key fingerprint = 4B 29 A8 95 A8 82 EA A2 29 CE 68 DE FC EE B6 A0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990518085043.A6970>