James G. Sack (jim) wrote:
Update..
more update:
The entries in the error log seems to have changed "flavor".
Whereas before there seemed to be repeated probing from a single IP,
namely the aforementioned 220.181.19.83 (or 220.181.19.79), now this
same chinese attacker seems still in there, but shares space with lots
of other IPs. Several seem to be yahoo namespace entries. Not
exclusively, though.
Have we graduated to a higher visibility sucker-list? Is something
actually getting through and maybe doing some harm?
==> HELP:
==> Shouldn't we try to do more about this? Am I worrying too much here?
1. suggest: a daily offload of /var/lib/zope/log/ contents. I'm willing
to try to extract meaningful attack stats or complaint info, although I
might need to get some advice from experienced sysadmins.
2. I don't _think_ the probes are doing anything (other than loading
down the system) -- there's no evidence of changes that I can see. But
2a) can we find out why we're getting so many probes? And,
2b) can we find a way to detect and cut-off repeated probes?
re the other exploit..
There have been another 9-or-10 registrations overnight, presumeably
trying to stuff drug/port/commercial pages into member-dir pages. It may
be of some interest to look at the "All recent changes" list (shown
with a valid login) -- there seems to be a variety og languages used in
the description field.
Regards,
..jim
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-steer
