[lug] route add -host attacks

Jeff feenix at ticnet.com
Wed Nov 14 19:32:17 MST 2001


Dunno.  I'm also on the AT&T network.  I don't seem to have this
problem.  Just to be sure, I checked my message logs for the following:
211.23.141.22
attackalert
primatex
"/sbin/route"

And came up blank.  Possible hack?  Port 111 is Sun RPC.  Not totally
sure what that does, but you may want to consider rebuilding the route
table.  Have you tried route or route -n ?
What are the results?  Does the below ip show up?  If so you may have a
problem.  If not...

$0.02
Jeff

Warren Sanders wrote:
> 
> Anyone know anything about a known virus or other wrappers adding hosts to your
> route table?  Earlier this week I asked about my corrupt route table but no
> reply.  I now have found (after hacking away at my machine daily) several
> entries in my messages log:
> 
> Nov 14 13:50:06 Sandman portsentry[11928]: attackalert: SYN/Normal scan from
> host: ms1.primatex.com.tw/211.23.141.22 to TCP port: 111
> Nov 14 13:50:06 Sandman portsentry[11928]: attackalert: Host 211.23.141.22 has
> been blocked via wrappers with string: "ALL: 211.23.141.22"
> Nov 14 13:50:06 Sandman portsentry[11928]: attackalert: Host 211.23.141.22 has
> been blocked via dropped route using command: "/sbin/route add -host 211.23.1
> 41.22 gw 127.0.0.1"
> 
> I have been getting these since mid October and seems to take a couple weeks to
> kill your route table.
> 
> BTW: I'm on the @home network.
> 
> --
> Warren Sanders
> http://MontanaLinux.Org
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

-- 
"Yet they are mistaken, they will be exposed, and they will discover
what
others in the past have learned;  Those who make war against the United 
States have chosen their own destruction."
G. Bush Jr.  Sept '01



More information about the LUG mailing list