[Wlug] Someone's hammering....

Theo Van Dinter felicity@kluge.net
Fri, 22 Jun 2001 10:42:17 -0400


On Fri, Jun 22, 2001 at 10:29:38AM -0400, Peter Gutowski wrote:
> Jun 22 05:17:53 host SERVER[18075]: Dispatch_input: bad request line '.....
> 
> followed by a lot of binary bytes ending in "/bin/sh"
> 
> I'm guessing that whoever is trying this is [so far] being kept out, but I guess I'd like to know what is being hammered on as "SERVER" doesn't provide much help. Any ideas?

Well, I would probably do a few things --

1) Verify that this person hasn't broken in yet (check for odd accounts in
   /etc/passwd, look for rootkits -- you'll probably want to go boot off a CD
   for this, verify that system binaries haven't changed (ls, login, telnetd,
   sshd), etc.)
2) If PID 18075 isn't constantly running, it's probably something out of
   inetd.  I would probably set up a packet sniffer and watch traffic to your
   box.  That will hopefully tell you 1) which daemon is being attacked, and
   2) what IP/network/etc is attacking you.
3) Once you have enough information, I'd firewall the attacker out and
   contact the remote administrator about the security violation.


And if you haven't already, make sure you're up-to-date WRT packages.

-- 
Randomly Generated Tagline:
Personally, I think my choice in the mostest-superlative-computer wars has to
 be the HP-48 series of calculators.  They'll run almost anything.  And if they
 can't, while I'll just plug a Linux box into the serial port and load up the
 HP-48 VT-100 emulator.
 (By jdege@winternet.com, Jeff Dege)