Re: [SLUG] ftp attack perhaps?

Mon, 26 Mar 2001 16:23:40 -0800 

Do you have any interesting firewall logs that match these.  I find it
useful to log all incoming SYN only TCP packets whether they are accepted
or not; it tell me what is trying to connect.

-- 
Howard.
____________________________________________________
LANNet Computing Associates <http://lannetlinux.com>
   "...well, it worked before _you_ touched it!"

On Tue, 27 Mar 2001, David wrote:

> 
> First symptom.. couldn't ftp to my webserver, connection refused.
> 
> Second symptom.. the following on the console when I checked the web
> server:
> 
> IP_MASQ:reverse ICMP: failed checksum from 164.138.225.122!
> IP_MASQ:reverse ICMP: failed checksum from 164.138.225.122!
> 
> Third symptom.. the following in my message log:
> 
> Mar 27 09:36:20 ns portmap[30661]: connect from 211.18.219.14 to
> getport(status): request from unauthorized host
> Mar 27 09:43:32 ns portmap[30684]: connect from 200.24.218.78 to
> getport(status): request from unauthorized host
> Mar 27 09:44:17 ns inetd[803]: ftp/tcp server failing (looping or being
> flooded), service terminated for 10 min
> Mar 27 09:51:39 ns named[17909]: ns_req: sendto([209.73.164.132].2985):
> Connection refused
> 
> The server failing log entry roughly coincides with when I was trying to
> ftp in myself, using a very standard bookmarked client on my lan.
> 
> 
> Fourth: this was in the secure log... possibly not related... paranoia?
> 
> Mar 26 22:53:39 ns in.ftpd[28962]: refused connect from 203.54.72.7
> Mar 26 22:53:50 ns in.ftpd[28963]: refused connect from 203.54.72.7
> Mar 26 22:54:54 ns in.ftpd[28964]: refused connect from 203.54.72.7
> Mar 26 22:55:05 ns in.ftpd[28965]: refused connect from 203.54.72.7
> Mar 26 22:55:18 ns in.ftpd[28966]: refused connect from 203.54.72.7
> Mar 27 09:54:39 ns in.ftpd[30744]: connect from 203.23.36.3
> 
> 
> any thoughts? The ftp server is now back in operation and working fine.
> The last entry above was me. So far I can't see any other problems.
> 
> 
> 
> 
> 
> 


-- 
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug

Reply via email to