[lug] route add -host attacks
Warren Sanders
sanders at MontanaLinux.Org
Wed Nov 14 21:44:48 MST 2001
Yes the route change is being stored. The port varies as it seems they are just
doing a scan before the route add takes place. I also noticed by default the
files in /sbin are owner/group root and 755. I chmod 700 route and I'm still
getting hosts added. Also noticing several of these are from Asian countries.
The best thing I have going for me at this moment is having portsentry adding
them to the deny list.
On Wed, 14 Nov 2001, Jeff wrote:
> Date: Wed, 14 Nov 2001 21:32:17 -0500
> From: Jeff <feenix at ticnet.com>
> Reply-To: lug at lug.boulder.co.us
> To: lug at lug.boulder.co.us
> Subject: Re: [lug] route add -host attacks
>
> Dunno. I'm also on the AT&T network. I don't seem to have this
> problem. Just to be sure, I checked my message logs for the following:
> 211.23.141.22
> attackalert
> primatex
> "/sbin/route"
>
> And came up blank. Possible hack? Port 111 is Sun RPC. Not totally
> sure what that does, but you may want to consider rebuilding the route
> table. Have you tried route or route -n ?
> What are the results? Does the below ip show up? If so you may have a
> problem. If not...
>
> $0.02
> Jeff
>
--
Warren Sanders
http://MontanaLinux.Org
More information about the LUG
mailing list