Linux-Misc Digest #288, Volume #24 Thu, 27 Apr 00 02:13:04 EDT
Contents:
Re: Partition Howto (Dances With Crows)
Re: Wiping unused i-nodes (Ken Mort)
title 17 and GNU (Siemel Naran)
[HELP] Multiple SCSI cards ("Lam Dang")
Re: Linux Business Oppurtunity (Christopher Browne)
Re: Partition Howto (AnS)
Re: NOTICE!! Warning, Warning Under Attack!!! NOTICE!! (Brent Willcox)
Linux
Re: Disk usage, way high? (Elden Fenison)
Re: Disk usage, way high? (Elden Fenison)
Re: Linux (me)
Re: NOTICE!! Warning, Warning Under Attack!!! NOTICE!! ("David ..")
Re: NOTICE!! Warning, Warning Under Attack!!! NOTICE!! ("David ..")
Re: XFree86 4.0 rpms ("Jim Zubb")
Re: NOTICE!! Warning, Warning Under Attack!!! NOTICE!! ("David ..")
----------------------------------------------------------------------------
From: [EMAIL PROTECTED] (Dances With Crows)
Subject: Re: Partition Howto
Date: 26 Apr 2000 23:19:04 EDT
Reply-To: [EMAIL PROTECTED]
On Wed, 26 Apr 2000 23:01:59 -0400, Answer
<<[EMAIL PROTECTED]>> shouted forth into the ether:
>I've just read something that I found intersting in it.
>"With ext2, Partitioning decisions should be governed by backup
>considerations and to avoid external fragmentation from different file
>lifetimes.
>Files have lifetimes. After a file has been created, it will remain
>some time on the system and then be removed. File lifetime varies
>greatly throughout the system and is partly dependent on the pathname
>of the file."
>What does that mean?
0. Make the partitions small enough so that you can back up a partition
onto a single backup {tape,CD-R} since it's easier to restore that way
1. Make the partitions large enough so that they don't fill up past 95%,
causing file fragging and slow performance
2. Put stuff that gets accessed read-write frequently (/home, /tmp,
swap) on a fast disk if you can. /usr can often go on a read-only disk
(and a slower one at that, for boxen with >1 user!)
3. If you're running a Usenet server, put /var/spool/news on its own
partition on a very fast, large disk, and read the man page for tune2fs
>If I don't use my ext2 partition for about one years. When I will read
>the partition one years later, it will be empty?
Where'd you get that idea? "File lifetime" goes like this: File creation
time="birth", file deletion time="death. So, /tmp has files with short
lifetimes, / and /usr have files with long lifetimes, /home is all over
the map. Keep in mind that the standard lifetime for an IDE disk these
days is approx. 3 years of heavy use, though.
--
Matt G / Dances With Crows \###| Programmers are playwrights
There is no Darkness in Eternity \##| Computers are lousy actors
But only Light too dim for us to see \#| Lusers are vicious drama critics
(Unless, of course, you're working with NT)\| BOFHen burn down theatres.
------------------------------
Subject: Re: Wiping unused i-nodes
From: [EMAIL PROTECTED] (Ken Mort)
Date: Thu, 27 Apr 2000 03:39:45 GMT
>I have two solutions:
>1). Expensive: Powerquest's latest version (3.0) understands
>ext2 and will ignore the unused sectors.
That's nice to know. I was planning to upgrade even though
they aren't very specific on what's new in the upgrade.
>2). Cheap: I wrote a little "C" program that creates a file
>of binary zeros and just writes till it runs out of room and
>then deletes the file. I run it once on every partition.
Thanks, someone else emailed me a simple solution.
cat /dev/zero > foo.bar
rm foo.bar
This worked, cut my image size in half.
Thanks for the info,
ken
>
>Ken Mort wrote:
>
>> I like to use powerquest's disk image
>> to back up partitions. It will only to
>> a complete image of a ext2 partition. Since
>> it will compress the sectors I would like to
>> wipe the unused sectors with '0' so they will
>> compress more efficiently.
>> Is there a utililty that will wipe the unused
>> sectors of an ext2 partition with a zero?
>>
>> --
>>
>> Regards,
>> Ken Mort <[EMAIL PROTECTED]>
>> Brooklyn, NY, USA
>
>
--
Regards,
Ken Mort <[EMAIL PROTECTED]>
Brooklyn, NY, USA
------------------------------
From: [EMAIL PROTECTED] (Siemel Naran)
Subject: title 17 and GNU
Reply-To: [EMAIL PROTECTED]
Date: Thu, 27 Apr 2000 03:46:28 GMT
Title 17 of the United States Code does not mention "GNU".
Is the copyright legally recognized?
--
==============
siemel b naran
==============
------------------------------
From: "Lam Dang" <[EMAIL PROTECTED]>
Subject: [HELP] Multiple SCSI cards
Date: 26 Apr 2000 23:30:09 -0400
I've installed RedHat 6.2 in "expert"
mode to have the initio module loaded
for my SCSI boot disk.
In addition to the Initio card my box
also has a Tekram card. I would like to
be able to load the dc395x_trm module at
boot time too. Looking at
/etc/conf.modules, I see
alias scsi_hostadapter initio
So I'm wondering what to do about
dc395x_trm. Can I just add another
alias? How? Any suggestions will be
appreciated.
--
Lam Dang
dangit AT ix DOT netcom DOT com
------------------------------
From: [EMAIL PROTECTED] (Christopher Browne)
Subject: Re: Linux Business Oppurtunity
Reply-To: [EMAIL PROTECTED]
Date: Thu, 27 Apr 2000 03:57:36 GMT
Centuries ago, Nostradamus foresaw a time when Pencil Necked Geek would say:
>Munge <[EMAIL PROTECTED]> wrote in message
>news:8e5oht$97f$[EMAIL PROTECTED]...
>> Go Linux Comp. <[EMAIL PROTECTED]> wrote:
>> : Linux Goes MLM
>> This has to be a troll, no one other than a complete
>> dickhead would get sucked in by this.
>>
>HAHAHAAAAA!!! My question is, if they only charge $40 per install, when do
>I get paid? Mmmmm, pyramid scam maybe?
If such an organization had a "backlog" of 40,000 people prepared to
pay $100 to get Linux installed, then it would be _entirely_ reasonable
for them to offer you $40 of that per install. For "them" to keep
$60 could indeed be a good deal for you and even for the 40,000 people
paying the $100. It'll cost _something_ to pass around paperwork to deal
with getting you connected to some of the 40K customers, to _collect_
the $100, and such.
Note that this would mean that there's $4M to play with of "real money"
which would leave ample opportunity for both you and they to make some
decent money.
The problem with such scams is that they tend to amount to schemes where
you become a salesman spending your time trying to find someone to "scam."
--
REALITY is a bug in your ontology.
[EMAIL PROTECTED] - - <http://www.hex.net/~cbbrowne/lsf.html>
------------------------------
From: AnS <[EMAIL PROTECTED]>
Subject: Re: Partition Howto
Date: Thu, 27 Apr 2000 00:06:13 -0400
On 26 Apr 2000 23:19:04 EDT, [EMAIL PROTECTED] (Dances
With Crows) wrote:
>>If I don't use my ext2 partition for about one years. When I will read
>>the partition one years later, it will be empty?
>
>Where'd you get that idea? "File lifetime" goes like this: File creation
>time="birth", file deletion time="death. So, /tmp has files with short
>lifetimes, / and /usr have files with long lifetimes, /home is all over
>the map. Keep in mind that the standard lifetime for an IDE disk these
>days is approx. 3 years of heavy use, though.
Thanx! It was the notion of lifetime that I had not understand.
------------------------------
From: [EMAIL PROTECTED] (Brent Willcox)
Crossposted-To:
redhat.security.general,comp.os.linux.setup,comp.os.linux.questions,alt.linux
Subject: Re: NOTICE!! Warning, Warning Under Attack!!! NOTICE!!
Date: Wed, 26 Apr 2000 17:33:57 -0500
Reply-To: [EMAIL PROTECTED]
>I found these attempts which started today with the first attempt
>starting before the time shown here in the first line. As you can see
>they are trying to connect one port at a time in order from 3400 up and
>at the present time they continue to try diferent ports in numerical
>order. I have blocked all connections TO and FROM these addresses but my
>logs and tcpdump show that the attempts continue and were still going
>when this was posted to redhat.security.general and many other
>newsgroups.
>
>
>Apr 25 15:49:46 twinscrew kernel: Packet log: input DENY ppp0 PROTO
6
xxx.xxx.xxx.xxx:80 xxx.xxx.xx.xxx:3400 L=40 S=0x00 I=43215 F=0x0000
^^ ^^^^
source port destination (on your machine)
(ip's xxx'ed for privacy purposes)
First of all, RELAX!!! This is NOT a hack attempt!
Take a look at the source port on the first machine. It's port 80.
(which is http, or WWW)
This was caused by a web request you made. What happened is you
probably connected to a server using banner advertising (adbot?)
and you hit "STOP"
The remote server is misconfigured and is trying to hammer
you. I get this sort of thing sometimes. Usually disconnecting and
reconnecting a few minutes later solves this problem. (I actually see
this more often with ZoneAlarm on Windows than IP chains)
The 3400 isn't a known exploit port, its just the random port that
Netscape (or whatever you were browsing with) chose. The thing that
causes this for me most often is a Netscape crash.
You might want to contact the admin of the webserver and let them know
that they are broken in a way that will drive firewall users nuts.
Even if it is a hack attempt, relax. Ipchains is doing its job and
the requests are getting dropped on the floor.
If you're wondering what a port (source or destination) might be, a
good reference is http://www.robertgraham.com/pubs/firewall-seen.html
This answered my question when 3128 showed up being scanned in my
firewall logs.
(3128 is the default port for the Squid Proxy, btw).
Most "good" port scans by hacking tools don't even show up in the
firewall log these days. (a'la nmap's "null scan")
-bdw-
--
Brent Willcox
Another BCIS student at the Univ. of North Texas
mail: bwillcox (at) unt edu
**When the green flag drops, the bull stops***
------------------------------
From: <[EMAIL PROTECTED]>
Subject: Linux
Date: Thu, 27 Apr 2000 04:30:10 GMT
How is Linux different from Windows?
--
Posted via CNET Help.com
http://www.help.com/
------------------------------
From: [EMAIL PROTECTED] (Elden Fenison)
Subject: Re: Disk usage, way high?
Date: Wed, 26 Apr 2000 21:52:21 -0700
On Wed, 26 Apr 2000 16:32:46 GMT, Hal Burgiss <[EMAIL PROTECTED]>
wrote:
>I would suspect all these are using quite a bit of space, mostly in
>/usr and/or /opt.
I did find by using du that /usr by itself is using 768mb. While /opt
is only using like 52mb.
>'man du'. You can figure out just what using what. I have a separate
>/usr and this by itself is 800+Meg, so does not look out of line to me.
>And this is without any of the three you mention.
Thanks, I just figured out the du thing, here's what I found below. As
you can see, it's /usr/lib and /usr/share that are the bad boys. I guess
this isn't as out of line as I thought then. Thanks for your post.
[root@dsl-46 /usr]# du -bchs *
54M X11R6
67M bin
408k dict
57M doc
4.0k etc
36k games
252k i386-redhat-linux
5.4M i486-linux-libc5
10M include
5.8M info
3.4M kerberos
238M lib
848k libexec
60M local
15M man
4.9M sbin
238M share
7.0M src
0 tmp
768M total
--
Elden Fenison
http://www.moondog.org
------------------------------
From: [EMAIL PROTECTED] (Elden Fenison)
Subject: Re: Disk usage, way high?
Date: Wed, 26 Apr 2000 21:55:28 -0700
On Wed, 26 Apr 2000 12:22:15 -0400, Leejay Wu <[EMAIL PROTECTED]> wrote:
>Hm. If you wanted to know which directories had the most stuff in
>'em, you could do something like
[snipped]
Thanks very much for that example Leejay. I finally did realize that du
was the thing I needed, and your example gives me some nice insight on
what can be done with the command line. I've not had any experience
putting multiple commands together like that, so it's nice to see a
real-world example.
--
Elden Fenison
http://www.moondog.org
------------------------------
From: me <[EMAIL PROTECTED]>
Subject: Re: Linux
Date: Thu, 27 Apr 2000 17:07:24 +1200
[EMAIL PROTECTED] wrote:
>
> How is Linux different from Windows?
>
> --
> Posted via CNET Help.com
> http://www.help.com/
Go to www.linux.org or do a search on "linux"
Basically, Linux is another operating system.
Programmes compiled for Linux generally won't run on Windows and vice
versa.
(Here can follow much flamebait --)
--
Never trust a man in a suit --
cll
------------------------------
From: "David .." <[EMAIL PROTECTED]>
Crossposted-To:
redhat.security.general,comp.os.linux.setup,comp.os.linux.questions,alt.linux
Subject: Re: NOTICE!! Warning, Warning Under Attack!!! NOTICE!!
Date: Wed, 26 Apr 2000 23:56:47 -0500
As I said in the email that was returned to me as undeliverable.
This problem started "Yesterday". My system has a better uptime than
this and if it had been going on prior to this I would have known, days,
months, or years ago. I have disconnected and reconnected a couple of
times which automatically gives me a different IP number. A few minutes
after reconnecting it starts again. I have been in contact with the
owner of the other system about this and they are trying to figure the
problem out. I know which port it is coming from I KNOW THE IP NUMBER
AND NAME OF THE SYSTEM!! And also which ports it is trying to connect
to, I have MANY MANY logs to see this. Today it has started over at port
1107 and at the present time is up port 1758 at the time of this
writting.
According to the news article which the owner of the other system was
kind enough to send me.
"Executives said the FBI and the National Infrastructure Protection
Center, a
government-backed computer crime investigation organization, are
investigating the attack."
I run junkbuster, squid, have set my system to ignore ping requests,
have IP spoof protection turned on, and have it set so that it will not
give out OS or kernel version if it is connected to. And yet the ATTACK
continues as I write this. It is checking all ports one by one in order
and at times will stop for approx 27 minutes and then starts again. Even
if it is just an ad bot as you say I DO NOT WANT IT TRYING TO CONNECT TO
MY SYSTEM PERIOD. This is an attack because it has been going on since
yesterday no matter what port it is coming from or trying to connect to.
One of the last messages I recieved from the owner of the other system,
They are beginning to think that it is someone spoofing packets. If this
is true, and I say if, then that would confirm that someone is doing it
for an un-known reason. So the next time you want to just blow off
someone's warning or problems keep it to yourself. Some of us know more
about it than you may realize.
Good-Bye!
Brent Willcox wrote:
>
> >I found these attempts which started today with the first attempt
> >starting before the time shown here in the first line. As you can see
> >they are trying to connect one port at a time in order from 3400 up and
> >at the present time they continue to try diferent ports in numerical
> >order. I have blocked all connections TO and FROM these addresses but my
> >logs and tcpdump show that the attempts continue and were still going
> >when this was posted to redhat.security.general and many other
> >newsgroups.
> >
> >
> >Apr 25 15:49:46 twinscrew kernel: Packet log: input DENY ppp0 PROTO
> 6
> xxx.xxx.xxx.xxx:80 xxx.xxx.xx.xxx:3400 L=40 S=0x00 I=43215 F=0x0000
> ^^ ^^^^
> source port destination (on your machine)
>
> (ip's xxx'ed for privacy purposes)
>
> First of all, RELAX!!! This is NOT a hack attempt!
>
> Take a look at the source port on the first machine. It's port 80.
> (which is http, or WWW)
>
> This was caused by a web request you made. What happened is you
> probably connected to a server using banner advertising (adbot?)
> and you hit "STOP"
>
> The remote server is misconfigured and is trying to hammer
> you. I get this sort of thing sometimes. Usually disconnecting and
> reconnecting a few minutes later solves this problem. (I actually see
> this more often with ZoneAlarm on Windows than IP chains)
>
> The 3400 isn't a known exploit port, its just the random port that
> Netscape (or whatever you were browsing with) chose. The thing that
> causes this for me most often is a Netscape crash.
>
> You might want to contact the admin of the webserver and let them know
> that they are broken in a way that will drive firewall users nuts.
>
> Even if it is a hack attempt, relax. Ipchains is doing its job and
> the requests are getting dropped on the floor.
>
> If you're wondering what a port (source or destination) might be, a
> good reference is http://www.robertgraham.com/pubs/firewall-seen.html
> This answered my question when 3128 showed up being scanned in my
> firewall logs.
>
> (3128 is the default port for the Squid Proxy, btw).
>
> Most "good" port scans by hacking tools don't even show up in the
> firewall log these days. (a'la nmap's "null scan")
>
> -bdw-
> --
> Brent Willcox
> Another BCIS student at the Univ. of North Texas
> mail: bwillcox (at) unt edu
> **When the green flag drops, the bull stops***
--
Registered with the Linux Counter. http://counter.li.org
ID # 123538
------------------------------
From: "David .." <[EMAIL PROTECTED]>
Crossposted-To:
redhat.security.general,comp.os.linux.setup,comp.os.linux.questions,alt.linux
Subject: Re: NOTICE!! Warning, Warning Under Attack!!! NOTICE!!
Date: Thu, 27 Apr 2000 00:11:51 -0500
As I said in the email that was returned to me as undeliverable.
This problem started "Yesterday". My system has a better uptime than
this and if it had been going on prior to this I would have known, days,
months, or years ago. I have disconnected and reconnected a couple of
times which automatically gives me a different IP number. A few minutes
after reconnecting it starts again. I have been in contact with the
owner of the other system about this and they are trying to figure the
problem out. I know which port it is coming from I KNOW THE IP NUMBER
AND NAME OF THE SYSTEM!! And also which ports it is trying to connect
to, I have MANY MANY logs to see this. Today it has started over at port
1107 and at the present time is up port 1758 at the time of this
writting.
According to the news article which the owner of the other system was
kind enough to send me.
http://www.cnet.com/category/0-100-200-1760458.html
"Executives said the FBI and the National Infrastructure Protection
Center, a
government-backed computer crime investigation organization, are
investigating the attack."
I run junkbuster, squid, have set my system to ignore ping requests,
have IP spoof protection turned on, and have it set so that it will not
give out OS or kernel version if it is connected to. And yet the ATTACK
continues as I write this. It is checking all ports one by one in order
and at times will stop for approx 27 minutes and then starts again. Even
if it is just an ad bot as you say I DO NOT WANT IT TRYING TO CONNECT TO
MY SYSTEM PERIOD. This is an attack because it has been going on since
yesterday no matter what port it is coming from or trying to connect to.
One of the last messages I recieved from the owner of the other system,
They are beginning to think that it is someone spoofing packets. If this
is true, and I say if, then that would confirm that someone is doing it
for an un-known reason. So the next time you want to just blow off
someone's warning or problems keep it to yourself. Some of us know more
about it than you may realize.
Good-Bye!
Brent Willcox wrote:
>
> >I found these attempts which started today with the first attempt
> >starting before the time shown here in the first line. As you can see
> >they are trying to connect one port at a time in order from 3400 up and
> >at the present time they continue to try diferent ports in numerical
> >order. I have blocked all connections TO and FROM these addresses but my
> >logs and tcpdump show that the attempts continue and were still going
> >when this was posted to redhat.security.general and many other
> >newsgroups.
> >
> >
> >Apr 25 15:49:46 twinscrew kernel: Packet log: input DENY ppp0 PROTO
> 6
> xxx.xxx.xxx.xxx:80 xxx.xxx.xx.xxx:3400 L=40 S=0x00 I=43215 F=0x0000
> ^^ ^^^^
> source port destination (on your machine)
>
> (ip's xxx'ed for privacy purposes)
>
> First of all, RELAX!!! This is NOT a hack attempt!
>
> Take a look at the source port on the first machine. It's port 80.
> (which is http, or WWW)
>
> This was caused by a web request you made. What happened is you
> probably connected to a server using banner advertising (adbot?)
> and you hit "STOP"
>
> The remote server is misconfigured and is trying to hammer
> you. I get this sort of thing sometimes. Usually disconnecting and
> reconnecting a few minutes later solves this problem. (I actually see
> this more often with ZoneAlarm on Windows than IP chains)
>
> The 3400 isn't a known exploit port, its just the random port that
> Netscape (or whatever you were browsing with) chose. The thing that
> causes this for me most often is a Netscape crash.
>
> You might want to contact the admin of the webserver and let them know
> that they are broken in a way that will drive firewall users nuts.
>
> Even if it is a hack attempt, relax. Ipchains is doing its job and
> the requests are getting dropped on the floor.
>
> If you're wondering what a port (source or destination) might be, a
> good reference is http://www.robertgraham.com/pubs/firewall-seen.html
> This answered my question when 3128 showed up being scanned in my
> firewall logs.
>
> (3128 is the default port for the Squid Proxy, btw).
>
> Most "good" port scans by hacking tools don't even show up in the
> firewall log these days. (a'la nmap's "null scan")
>
> -bdw-
> --
> Brent Willcox
> Another BCIS student at the Univ. of North Texas
> mail: bwillcox (at) unt edu
> **When the green flag drops, the bull stops***
--
Registered with the Linux Counter. http://counter.li.org
ID # 123538
------------------------------
From: "Jim Zubb" <[EMAIL PROTECTED]>
Crossposted-To: comp.os.linux.setup,comp.os.linux.x
Subject: Re: XFree86 4.0 rpms
Date: Wed, 26 Apr 2000 22:36:19 -0800
In article <[EMAIL PROTECTED]>, Kerry Cox <[EMAIL PROTECTED]>
wrote:
> Just grabbed the XFree86 RPMs from off the RPM Repository page. It
> required the latest ncurses 5.0 package as well, which when I updated it
> caused a lot of things to break. Has anyone had any success in
Need to make a symbolic link from libncurses.so.5 and libpanel.so.5 to
libncurses.so.4 and libpanel.so.4
> installing XFree86 on their own Linux machine using the RPMs? And if
No, only rpms I could find were from rpmfind.net and they were completely
fubaredd for me. Wierd things happened when attempting to install
XFree-4.0, it tried to copy my entire directory structure to
/var/state/xkb (not positive on that directory), bizarre stuff. Gonna
wait to see if I can ever get into rawhide.redhat.com
--
Jim Zubb
[EMAIL PROTECTED]
------------------------------
From: "David .." <[EMAIL PROTECTED]>
Crossposted-To:
redhat.security.general,comp.os.linux.setup,comp.os.linux.questions,alt.linux
Subject: Re: NOTICE!! Warning, Warning Under Attack!!! NOTICE!!
Date: Thu, 27 Apr 2000 00:48:56 -0500
As I said in the email that was returned to me as undeliverable.
This problem started "Yesterday". My system has a better uptime than
this and if it had been going on prior to this I would have known, days,
months, or years ago. I have disconnected and reconnected a couple of
times which automatically gives me a different IP number. A few minutes
after reconnecting it starts again. I have been in contact with the
owner of the other system about this and they are trying to figure the
problem out. I know which port it is coming from I KNOW THE IP NUMBER
AND NAME OF THE SYSTEM!! And also which ports it is trying to connect
to, I have MANY MANY logs to see this. Today it has started over at port
1107 and at the present time is up port 1758 at the time of this
writting. I know it tried to connect as follows
port 3400 15:49:46 4/25/2000
port 3898 18:52:02 4/25/2000 4times between 18:52:02 & 18:52:05
and once at 18:53:35
port 4457 6 times between 20:45:04 & 20:45:49 4/25/2000
port 4458 twice between 20:46:06 & 20:46:07 4/25/2000
port 4457 3 times between 20:46:37 & 20:46:46 4/25/2000
and stopped between 22:57:36 & 23:24:56 4/25/2000
and stopped between 12:07:04 & 12:26:12 4/26/2000
And these are only a few compared to what my logs show.
According to the news article which the owner of the other system was
kind enough to send me.
http://www.cnet.com/category/0-100-200-1760458.html
"Executives said the FBI and the National Infrastructure Protection
Center, a
government-backed computer crime investigation organization, are
investigating the attack."
I run junkbuster, squid, have set my system to ignore ping requests,
have IP spoof protection turned on, and have it set so that it will not
give out OS or kernel version if it is connected to. And yet the ATTACK
continues as I write this. It is checking all ports one by one in order
and at times will stop for approx 27 minutes and then starts again. Even
if it is just an ad bot as you say I DO NOT WANT IT TRYING TO CONNECT TO
MY SYSTEM PERIOD. This is an attack because it has been going on since
yesterday no matter what port it is coming from or trying to connect to.
One of the last messages I recieved from the owner of the other system,
They are beginning to think that it is someone spoofing packets. If this
is true, and I say if, then that would confirm that someone is doing it
for an un-known reason. So the next time you want to just blow off
someone's warning or problems keep it to yourself. Some of us know more
about it than you may realize.
Good-Bye!
Brent Willcox wrote:
>
> >I found these attempts which started today with the first attempt
> >starting before the time shown here in the first line. As you can see
> >they are trying to connect one port at a time in order from 3400 up and
> >at the present time they continue to try diferent ports in numerical
> >order. I have blocked all connections TO and FROM these addresses but my
> >logs and tcpdump show that the attempts continue and were still going
> >when this was posted to redhat.security.general and many other
> >newsgroups.
> >
> >
> >Apr 25 15:49:46 twinscrew kernel: Packet log: input DENY ppp0 PROTO
> 6
> xxx.xxx.xxx.xxx:80 xxx.xxx.xx.xxx:3400 L=40 S=0x00 I=43215 F=0x0000
> ^^ ^^^^
> source port destination (on your machine)
>
> (ip's xxx'ed for privacy purposes)
>
> First of all, RELAX!!! This is NOT a hack attempt!
>
> Take a look at the source port on the first machine. It's port 80.
> (which is http, or WWW)
>
> This was caused by a web request you made. What happened is you
> probably connected to a server using banner advertising (adbot?)
> and you hit "STOP"
>
> The remote server is misconfigured and is trying to hammer
> you. I get this sort of thing sometimes. Usually disconnecting and
> reconnecting a few minutes later solves this problem. (I actually see
> this more often with ZoneAlarm on Windows than IP chains)
>
> The 3400 isn't a known exploit port, its just the random port that
> Netscape (or whatever you were browsing with) chose. The thing that
> causes this for me most often is a Netscape crash.
>
> You might want to contact the admin of the webserver and let them know
> that they are broken in a way that will drive firewall users nuts.
>
> Even if it is a hack attempt, relax. Ipchains is doing its job and
> the requests are getting dropped on the floor.
>
> If you're wondering what a port (source or destination) might be, a
> good reference is http://www.robertgraham.com/pubs/firewall-seen.html
> This answered my question when 3128 showed up being scanned in my
> firewall logs.
>
> (3128 is the default port for the Squid Proxy, btw).
>
> Most "good" port scans by hacking tools don't even show up in the
> firewall log these days. (a'la nmap's "null scan")
>
> -bdw-
> --
> Brent Willcox
> Another BCIS student at the Univ. of North Texas
> mail: bwillcox (at) unt edu
> **When the green flag drops, the bull stops***
--
Registered with the Linux Counter. http://counter.li.org
ID # 123538
------------------------------
** FOR YOUR REFERENCE **
The service address, to which questions about the list itself and requests
to be added to or deleted from it should be directed, is:
Internet: [EMAIL PROTECTED]
You can send mail to the entire list (and comp.os.linux.misc) via:
Internet: [EMAIL PROTECTED]
Linux may be obtained via one of these FTP sites:
ftp.funet.fi pub/Linux
tsx-11.mit.edu pub/linux
sunsite.unc.edu pub/Linux
End of Linux-Misc Digest
******************************
