Lori Hitchcock
Hitchcock Staffing 800-867-9188
-----Original Message-----
From: John Abreau [SMTP:[EMAIL PROTECTED]]
Sent: Monday, August 28, 2000 12:46 PM
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Possible DoS attack?
We lost access to a server at work; unfortunately, the server is in New
York, and one of us is on the way to Logan to fly out there and reboot the
machine, but he probably won't even arrive there until 4:00 or so.
At this point we can ping the system, but we can't access it at all. Ssh
is apparently down, as is apache, sendmail, and inn. It responds to all
connection requests instantaneously with a "Connection refused" error,
which makes me suspect that the refusal is happening at the IP level,
before the system has a chance to look at the packet.
In the meantime, we got a report from someone that the system is pounding
their network on port 113, at roughly 50-60 request per minute. The
excerpt from their logs looks like thes (ip addresses obscured):
Aug 25 08:00:14 avgo-br2 avgo-br2, list 101 denied tcp
xxx.xxx.xxx.xxx(13361)(Ethernet v2 0050.2ac2.14a0) -> yyy.yyy.yyy.yyy(113), 1
packets
Does this look familiar to anyone? Is this characteristic of any type of
break-in?
Another thing that occurs to me: we had just migrated an old server to
this one last week, which included installing inn. I understand inn can be
a resource pig; could the above behavior be a side effect of inn running
out of control?
--
John Abreau / Executive Director, Boston Linux & Unix
ICQ#28611923 / AIM abreauj / Email [EMAIL PROTECTED]
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to [EMAIL PROTECTED] (Subject line is ignored).
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
