[CLUE-Tech] [Fwd: FW: [lug] new Linux worm]
Grant Johnson
Grant.Johnson at MetroIS.com
Fri Mar 23 14:02:08 MST 2001
>Grant,
>
>I take it seriously, but I don't know which daemons to kill which affect
>me. What should I look for in my log files? What are some simple grep
>stuff which can reduce what I look at?
>
>I got "scanned" by someone and this is the /var/log/messages:
>
>Mar 22 18:07:05 cullis portsentry[2603]: attackalert: SYN/Normal scan
>from host: 211.219.153.124/211.219.153.124 to TCP port: 53
>Mar 22 18:07:05 cullis portsentry[2603]: attackalert: External command
>run for host: 211.219.153.124 using command: "/some/path/here/script
>211.219.153.124 53"
>Mar 22 18:07:05 cullis portsentry[2603]: attackalert: Host
>211.219.153.124 has been blocked via wrappers with string: "ALL:
>211.219.153.124"
>Mar 22 18:07:05 cullis portsentry[2603]: attackalert: Host
>211.219.153.124 has been blocked via dropped route using command:
>"/sbin/route add -host 211.219.153.124 reject"
>
>So, can anyone provide some newbie info?
>
>Kevin
Yep, that looks like the thing. I forwarded you, not the list, the
detection software. That attack came from somewhere in Korea, so this
thing is spread around quite a lot.
More information about the clue-tech
mailing list