[CLUE-Tech] [Fwd: FW: [lug] new Linux worm]
ian
iguy at ionsphere.org
Fri Mar 23 14:12:27 MST 2001
That sounds much like the attack that Jim just suffered through.
ian
On Fri, Mar 23, 2001 at 02:02:08PM -0700, Grant Johnson wrote:
>
> >Grant,
> >
> >I take it seriously, but I don't know which daemons to kill which affect
> >me. What should I look for in my log files? What are some simple grep
> >stuff which can reduce what I look at?
> >
> >I got "scanned" by someone and this is the /var/log/messages:
> >
> >Mar 22 18:07:05 cullis portsentry[2603]: attackalert: SYN/Normal scan
> >from host: 211.219.153.124/211.219.153.124 to TCP port: 53
> >Mar 22 18:07:05 cullis portsentry[2603]: attackalert: External command
> >run for host: 211.219.153.124 using command: "/some/path/here/script
> >211.219.153.124 53"
> >Mar 22 18:07:05 cullis portsentry[2603]: attackalert: Host
> >211.219.153.124 has been blocked via wrappers with string: "ALL:
> >211.219.153.124"
> >Mar 22 18:07:05 cullis portsentry[2603]: attackalert: Host
> >211.219.153.124 has been blocked via dropped route using command:
> >"/sbin/route add -host 211.219.153.124 reject"
> >
> >So, can anyone provide some newbie info?
> >
> >Kevin
>
>
> Yep, that looks like the thing. I forwarded you, not the list, the
> detection software. That attack came from somewhere in Korea, so this
> thing is spread around quite a lot.
>
> _______________________________________________
> CLUE-Tech mailing list
> CLUE-Tech at clue.denver.co.us
> http://clue.denver.co.us/mailman/listinfo/clue-tech
More information about the clue-tech
mailing list