BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

System Attack - Finding the culprit?

Subject: System Attack - Finding the culprit?
From: phil at 1918.com (Phil Buckley)
Date: Sun, 26 Aug 2001 11:38:49 -0400

Looking through my email after a day off produced the following alert from one of the servers...

Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
Aug 25 03:28:56 galloproductions sendmail[21367]: NOQUEUE: POSSIBLE ATTACK from [4.54.118.112]: newline in string "trilluser^M "

Security Violations
=-=-=-=-=-=-=-=-=-=
Aug 25 03:28:56 galloproductions sendmail[21367]: NOQUEUE: POSSIBLE ATTACK from [4.54.118.112]: newline in string "trilluser^M "

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Aug 25 03:28:56 galloproductions sendmail[21367]: NOQUEUE: POSSIBLE ATTACK from [4.54.118.112]: newline in string "trilluser^M "
==========================================================================

So I wanted to see where the attack had originated at...

#nslookup 4.54.118.112
Name:    PPPa83-ResaleNewYorkMetroB1-1R7187.dialinx.net
Address:  4.54.118.112
===========================================================================

Looks like a typical dialup account, so I try to figure out who gave the guy access...

#    IP address       Host name                                Round trip time
1    4.54.144.12      Resale_Eastern_Ma3-3R7200.genuity2.net         187 ms
2    4.54.144.2       RE4-P14-BST-GNP-R1.genuity2.net              173 ms
3    204.166.35.74    RE4-P14-R1-pvc1-Hub1.genuity2.net            154 ms
4    4.24.94.1        p3-0.bstnma1-cr8.bbnplanet.net               155 ms
5    4.24.5.41        p6-0.bstnma1-ba1.bbnplanet.net               144 ms
6    4.24.7.117       p7-0.bstnma1-br1.bbnplanet.net               200 ms
7    4.24.6.50        p9-0.nycmny1-nbr2.bbnplanet.net              160 ms
8    4.24.10.209      p15-0.nycmny1-nbr1.bbnplanet.net             169 ms
9    4.24.8.162       p1-0.nycmny1-cr9.bbnplanet.net               171 ms
10   4.24.188.74      p6-1.dialinxny.bbnplanet.net                 185 ms
11   172.20.66.141    Unavailable                                  195 ms
12   4.54.116.15      Resale_New_York_MetroB1-1R7187.genuity2.net        220 ms
13   4.54.118.112     PPPa83-ResaleNewYorkMetroB1-1R7187.dialinx.net      341 ms

So, my question is... do I contact "genuity" to report this attack?

Thanks,
Phil

-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).

Follow-Ups:
- [POSSIBLE] System Attack - Finding the culprit?
  - From: chy at genuity.com (Chuck Young)

Prev by Date: guerrilla.net?
Next by Date: Kernel-based packet forwarding in 2.2.14?
Previous by thread: guerrilla.net?
Next by thread: [POSSIBLE] System Attack - Finding the culprit?
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Boston Linux & Unix / webmaster@blu.org