Re: [SLE] Hacker attempts during installation

From: Carlos E. R. (robin1.listas_at_tiscali.es)
Date: 10/30/05

  • Next message: Randall R Schulz: "Re: [SLE] wget confusion..." 
    Date: Sun, 30 Oct 2005 02:50:18 +0100 (CET)
To: SLE <suse-linux-e@suse.com>

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    The Sunday 2005-10-30 at 01:44 +0200, Anders Johansson wrote:

    > On Saturday 29 October 2005 03:29, Carlos E. R. wrote:
    > > wieird ones like 1028, 1026, 1030, 12316. But they also try 21, of course:
    >
    > 21 is ftp. This isn't a crack attempt, it's just someone looking for ftp
    > servers

    Ah, right, memory slips. Then port 22:

    Sep 9 01:29:20 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=ppp0 OUT= MAC=
    SRC=195.162.195.69 DST=81.41.200.66 LEN=60 TOS=0x00 PREC=0x00 TTL=51
    ID=27308 DF PROTO=TCP SPT=46386 DPT=22 WINDOW=5840 RES=0x00 SYN URGP=0 OPT
    (020405B40402080A066C2FD30000000001030302)

    That was 20 seconds after I connected!

    Oct 27 20:19:29 nimrodel kernel: SFW2-INext-DROP-DEFLT IN=ppp0 OUT= MAC=
    SRC=81.196.58.13 DST=81.41.201.68 LEN=48 TOS=0x00 PREC=0x00 TTL=110
    ID=24437 PROTO=TCP SPT=60707 DPT=22 WINDOW=65535 RES=0x00 SYN URGP=0 OPT
    (020405B401010402)

    And that was 6 minutes after connection.

    > > That hole was plugged.
    >
    > It was of course also only ever possible on a high quality local LAN, as
    > across the internet, the microsecond timings necessary for something like
    > that are drowned out by the general low quality of the network

    I didn't know that, I thought the time difference was bigger, due to the
    filesystem seek time when the server had to locate the password data after
    a user matches. But... don't tcp packets have a timestamp? Perhaps they
    used that one.

    - --
    Cheers,
           Carlos Robinson
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.0 (GNU/Linux)
    Comment: Made with pgp4pine 1.76

    iD8DBQFDZCbctTMYHG2NR9URAkIzAJ4+yEfTWO0hK/moOYs71hvDC6MVswCeIbqM
    KGFQirGuOw64bM+Qa5oznNU=
    =Ylb5
    -----END PGP SIGNATURE----- 

    -- 
Check the headers for your unsubscription address
For additional commands send e-mail to suse-linux-e-help@suse.com
Also check the archives at http://lists.suse.com
Please read the FAQs: suse-linux-e-faq@suse.com
  • Next message: Randall R Schulz: "Re: [SLE] wget confusion..."

    Relevant Pages

    • [HPADM] FTP disconnect
      ... Occasional ftp disconnects happen on our Itanium ... level September 2006 on all these servers. ... Connection reset by peer' seen below. ... Is this a bug resolved in the March 2007 bundle for HP11V2? ...
      (HP-UX-Admin)
    • RE: IIS 6 FTP Connection Aborted
      ... > I have two IIS 6 FTP servers behind a server load balancer. ... The load balancer or one or both of the FTP ... Each TCP connection in such a protocol is ...
      (microsoft.public.inetserver.iis.ftp)
    • Re: 110MB again
      ... on 110MB.com quite painless. ... What I like about it is I can FTP to it from any ISP's connection. ... servers seem fast too, which is good. ...
      (uk.people.silversurfers)
    • Re: how to assign 2 IPs to server + using 2 isp ?
      ... ftp can only listed on 1 port at a time and one ... connection. ... The problem with running two FTP front end servers is that i would need to ...
      (microsoft.public.win2000.networking)
    • Re: IPSwitch, Inc. WS_FTP Server
      ... > bounce attack as well as PASV connection hijacking. ... > The FTP bounce vulnerability allows a remote attacker to cause the ... > anonymously along with any internal addresses that the FTP server has ... That means it's got to handle a PORT ...
      (Bugtraq)