[ LUGOS ] smurf al pa kak dos.

Martin martin na amadej.si
Sob Nov 11 13:24:35 CET 2000


Pred kratkim sm pisal na listo, ker se mi je recunalo sesuvalo. Ugotovili
smo da je bil vzrok premal spomina za vse servise. Povecal sem swap na
okrog 130MB, ceprav je sistem rabil samo par MB swapa v normalnem
stanju dela.

Nakar sem vceraj ob 1:00 ponoci ugotovil, da je porgram iplog kar naenkrat
uporabljal okoli 50 MB spomina pa se narascal. Kmalu zatem racunalo ni
odgovarjalo. - Ocitno je uporabil ves swap prostor.

Ogledal sem si (po restartu masine) iplogov log in ugotovil da sm bil zrtev
napada.

Klele je mali izsek iz loga ki je v celoti viden na
http://hexabyte.at.linux-os.nl/iplog.txt (okoli 1,9MB)
(je prevelik da bi ga malali vsepovprek)
->
Nov 11 02:20:10 TCP: port 18584 connection attempt to 213.143.68.44 from
129.252.22.114:29526
Nov 11 02:20:10 TCP: port scan mode to 213.143.68.44 expired for
129.79.139.170 - received a total of 174 packets (3480 bytes).
Nov 11 02:20:10 TCP: port 20730 connection attempt to 213.143.68.44 from
129.252.22.106:7384
Nov 11 02:20:10 TCP: port 24220 connection attempt to 213.143.68.44 from
129.79.139.170:13552
Nov 11 02:20:10 TCP: port 21264 connection attempt to 213.143.68.44 from
129.79.139.170:8274
Nov 11 02:20:10 TCP: port 4774 connection attempt to 213.143.68.44 from
129.79.139.170:27084
Nov 11 02:20:10 TCP: port 16217 connection attempt to 213.143.68.44 from
129.79.139.170:18167
Nov 11 02:20:10 TCP: port 6727 connection attempt to 213.143.68.44 from
129.79.139.170:4555
Nov 11 02:20:10 TCP: port 12550 connection attempt to 213.143.68.44 from
129.79.139.170:12922
Nov 11 02:20:10 TCP: port 31783 connection attempt to 213.143.68.44 from
129.79.139.170:8471
Nov 11 02:20:10 TCP: port 22766 connection attempt to 213.143.68.44 from
129.79.139.170:24109
Nov 11 02:20:10 TCP: port 7509 connection attempt to 213.143.68.44 from
129.79.139.170:31408
Nov 11 02:20:10 TCP: port 22599 connection attempt to 213.143.68.44 from
129.79.139.170:19264
Nov 11 02:20:10 TCP: port 1853 connection attempt to 213.143.68.44 from
129.252.22.114:20450
Nov 11 02:20:10 TCP: port 25759 connection attempt to 213.143.68.44 from
129.252.23.111:18111
Nov 11 02:20:10 TCP: port 29714 connection attempt to 213.143.68.44 from
129.79.139.170:29903
Nov 11 02:20:10 TCP: port 4376 connection attempt to 213.143.68.44 from
129.79.139.170:30686
Nov 11 02:20:10 TCP: port 32349 connection attempt to 213.143.68.44 from
129.79.139.170:4751
Nov 11 02:20:10 TCP: port 27067 connection attempt to 213.143.68.44 from
129.79.139.170:25041
Nov 11 02:20:10 TCP: port scan detected to 213.143.68.44 [ports
24220,21264,4774,16217,6727,12550,31783,22766,7509,22599,...] from
129.79.139.170 [ports 13552,8274,27084,18167,4555,...]
Nov 11 02:20:10 TCP: port 9970 connection attempt to 213.143.68.44 from
129.252.22.114:10187
Nov 11 02:20:10 TCP: port 17765 connection attempt to 213.143.68.44 from
129.252.22.114:31110
->

Ta napad je povzrocil tudi nedelovanje povezave do interneta
(vse je timeoutalo izven lokalne mreze)

Kle me zdej v bistvu zanima.
1. Je kak nacin da se ubranim takih napadov?
2. Je kak program, ki bi opravljal delo iploga vendar z porabo manj
pomnilnika?
3. Koga naj obvestim o napadu, da bojo svoje uporabnike opomnili itd.
Ker ce se jaz to prav razumem, so bili to napadi iz masin v katere so krivci
ze
udrli in namestili te programe, ki so jih kasneje na remote zagnali. Tako da
lastniki
sistemov verjetno nimajo pojma kaj se dogaja z njimi.

Vsak predlog - pripomba (se posebi z prvo tocko) je dobrodosel.






Dodatne informacije o seznamu Starilist