Focus on Linux Mode:
(Page 33 of 57)  < Prev  28 29 30 31 32 33 34 35 36 37 38  Next >
Visited by a cracker 2004-07-11
Per Christian B. Viken (perchr angryadmin net) (5 replies)
Hello

I've had a rather disturbing evening.
A friend of mine runs a small server for himself and some friends. It's
running slackware 10.
When I logged in, I noticed that the load was way over what's normal (around
1.36 now, usually it's under 0.10), so I run 'top'. I see a program called
'strace'

[ more ]  [ reply ]
Re: Visited by a cracker 2004-07-13
Alexander Economou (aecon gnet gr)
Re: Visited by a cracker 2004-07-12
Godwin Stewart (gstewart spamcop net)
Re: Visited by a cracker 2004-07-12
Lars Johannesen (cipherz slamsoft dk)
Re: Visited by a cracker 2004-07-12
riedel trigital net (Sven Riedel)
Re: Visited by a cracker 2004-07-12
Alan Hicks (alan lizella net)
Re: Weird! 2004-07-07
Claus Norrbohm (james type-this com)
In-Reply-To: <20040705222222.27584.qmail (at) www.securityfocus (dot) com [email concealed]>

>IN=ppp0 OUT= MAC= SRC=xxx.xx.xxx.xxx DST=aa.aaa.aaa.aaa LEN=76 TOS=0x18 PREC=0x20 TTL=45 ID=56552 PROTO=ICMP TYPE=3 CODE=1 [SRC=aa.aaa.aaa.aaa DST=192.168.1.100 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=16249 DF PROTO=TCP SPT=1730 DPT=4662

[ more ]  [ reply ]
Re: Weird! 2004-07-06
Kostas K (acezerocool yahoo com) (2 replies)
In-Reply-To: <20040706184555.B13533 (at) planetcobalt (dot) net [email concealed]>

I am using emule specificaly, so the src=xxx.xx.xxx.xxx sent me an ICMP 3-0 indicating that src=aa.aaa.aaa.aaa (which is my ip address) cannot access dst=192.168.1.100.

I am have a LAN (3 pcs) but why this is happening?

Thanks,

Kostas

[ more ]  [ reply ]
Re: Weird! 2004-07-06
Jeff Davis (secfocus clandavis org)
Re: Weird! 2004-07-06
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net)
Weird! 2004-07-05
Kostas K (acezerocool yahoo com) (4 replies)


IN=ppp0 OUT= MAC= SRC=xxx.xx.xxx.xxx DST=aa.aaa.aaa.aaa LEN=76 TOS=0x18 PREC=0x20 TTL=45 ID=56552 PROTO=ICMP TYPE=3 CODE=1 [SRC=aa.aaa.aaa.aaa DST=192.168.1.100 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=16249 DF PROTO=TCP SPT=1730 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 ]

I get some weird logs f

[ more ]  [ reply ]
Re: Weird! 2004-07-07
Stephen Samuel (samuel bcgreen com)
Re: Weird! 2004-07-06
Charles Heselton (charles heselton gmail com) (1 replies)
Re[2]: Weird! 2004-07-09
Marius Huse Jacobsen (mahuja c2i net)
Re: Weird! 2004-07-06
Ansgar -59cobalt- Wiechers (bugtraq planetcobalt net)
Re: Weird! 2004-07-06
alejandro flores triforsec com br
RE: just running tcpdump makes promisc mode? 2004-07-01
Am (RazhamR regent-college ac uk)

If the machine is fresh install it might be the problem with tcpdump it self. I read about something about ifconfig broken in PROMISC department due to some changes in the kernel.

Use ip (/usr/sbin/ip) to check your interface status. It should match with the ones in dmesg and /var/log/messages

Ro

[ more ]  [ reply ]
RE: Last login missing 2004-07-04
Toni Heinonen (Toni Heinonen teleware fi)
> Today I received a suspiciously looking email from my server about an
> unexpected restart of Apache, so I logged in and there was no "Last
> login:" information.

One possible explanation might be, that you have newsyslog or logrotate,
and it rotates all your logs, including login logs (utmp/xt

[ more ]  [ reply ]
Last login missing 2004-07-01
Milos Prudek (prudek bvx cz) (2 replies)
If "Last login:" is not displayed, is that fishy? Is it a sure
indication that a cracker was there and cleaned up his tracks?

Details:

When I connect via ssh to my linux server it always displays Last login:
<date> from <host>

Today I received a suspiciously looking email from my server about

[ more ]  [ reply ]
Re: Last login missing 2004-07-04
Stefan Guha (safti safti org) (1 replies)
RE: Last login missing 2004-07-06
Michael LaSalvia (mike genxweb net)
Re: Last login missing 2004-07-04
Ira (iashkenes verizon net)
(Page 33 of 57)  < Prev  28 29 30 31 32 33 34 35 36 37 38  Next >


 

Privacy Statement
Copyright 2010, SecurityFocus