On Fri, Jun 22, 2001 at 10:29:38AM -0400, Peter Gutowski wrote:
Jun 22 05:17:53 host SERVER[18075]: Dispatch_input: bad request line '.....
followed by a lot of binary bytes ending in "/bin/sh"
I'm guessing that whoever is trying this is [so far] being kept out, but I guess I'd like to know what is being hammered on as "SERVER" doesn't provide much help. Any ideas?
Well, I would probably do a few things -- 1) Verify that this person hasn't broken in yet (check for odd accounts in /etc/passwd, look for rootkits -- you'll probably want to go boot off a CD for this, verify that system binaries haven't changed (ls, login, telnetd, sshd), etc.) 2) If PID 18075 isn't constantly running, it's probably something out of inetd. I would probably set up a packet sniffer and watch traffic to your box. That will hopefully tell you 1) which daemon is being attacked, and 2) what IP/network/etc is attacking you. 3) Once you have enough information, I'd firewall the attacker out and contact the remote administrator about the security violation. And if you haven't already, make sure you're up-to-date WRT packages. -- Randomly Generated Tagline: Personally, I think my choice in the mostest-superlative-computer wars has to be the HP-48 series of calculators. They'll run almost anything. And if they can't, while I'll just plug a Linux box into the serial port and load up the HP-48 VT-100 emulator. (By jdege@winternet.com, Jeff Dege)