[lug] eth0: tx interrupt but no status

Paul Bille paul at ebille.cudenver.edu
Mon Dec 10 23:18:46 MST 2001


Dan,

Thanks for the feed back.

One clarification, I am on the cudenver.edu domain.  Randy Hagan is my
sysadmin.

The rpc.mountd: export request came from 192.207.173.213 j30.engr.subr.edu
which is Southern University Baton Rouge.  This may or may not be related to
the "eth0: tx interrupt" stuff

I interpret the
> Dec 10 17:54:02 liz fingerd[9511]: rejected @ebille.cudenver.edu
messages to indicate MY system is rejecting finger request for invalid
users.  I think someone is looking for usernames.

> . . . makes me roll my eyes back and laugh . . .

You're right.  I traced the e-mail address back to a photographer in
Australia.  He doesn't appear to be a sophisticated user but then what do I
know?

	http://www.qldwide.net.au/~garryw/page3.html - Garry Williamson

I'm not worried about him or the finger request (except in the context of
username searches) but I am concerned about the "eth0: tx interrupt but no
status"

> Dec 10 18:12:00 liz kernel: eth0: tx interrupt but no status
> Dec 10 18:16:14 liz last message repeated 4 times

I'm concerned because I interpret these messages to indicate someone is
trying to get mal formed packets through my ethernet connection.  I had a
system subjected to a BIND overflow attack and the syslog was filled with
"eth0: tx interrupt but no status"  I may be reading too much into this but
I'm concerned.

>  . . . I track them down and report them to all technical contacts . . .

I'm trying to figure out what's going on and where it's coming from.
Unfortunately an IP isn't logged with the eth0 interrupt.  Getting weird
e-mail messages like the one I got from the Australian photographer just
confuse the issue.  The scans seem to have stopped as of about 20:00 Rocky
Mountain Time.  I hope they've stopped for good.

Thanks,
Paul
http://bille.cudenver.edu/author




More information about the LUG mailing list