[lug] eth0: tx interrupt but no status

Paul Bille paul at ebille.cudenver.edu
Mon Dec 10 20:57:03 MST 2001


Dec 10 18:12:00 liz kernel: eth0: tx interrupt but no status
Dec 10 18:16:14 liz last message repeated 4 times
Dec 10 18:18:13 liz kernel: eth0: tx interrupt but no status
Dec 10 18:19:29 liz last message repeated 5 times

Anyone familiar with a hacker named Garry Williamson out of Australia?

Actually, I don't imagine the hacker is Garry. Maybe Garry's system has been
hacked. In any case, I got a very strange e-mail from Garry's system. and
someone has been hammering on my system all day long.

This is the e-mail message I received from Garry at 6:18pm Dec 10:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
I'm wondering why the below information is attached to the three hack
attempts that have been trying to finger my puter,.... just wondering that
is ........cause if I can find this then maybe I can get into you, perhaps
you never thought of that ................aye ?
Login: paul Name: Paul Bille
Directory: /home/paul Shell: /bin/csh
On since Mon Dec 10 11:03 (MST) on :0 (messages off)
Mail last read Mon Dec 10 18:27 2001 (MST)
Plan: Paul Bille
<http://bille.cudenver.edu/author>
Regards,
Garry Williamson
~~~~~~~~~~~~~~~~~~~~~~~~~~~
It could be just some kid who's fascinated because "finger" actually works.
On the other hand it could be a warning.

I don't think my system has been compromised yet but . . . Here are a few
lines from my syslog that concern me:

Dec 9 19:52:36 liz rpc.mountd: export request from 192.207.173.213

I don't know anyone on 192.207.173.xxx and I certainly didn't export my disk
to them.
Name: j30.engr.subr.edu
Address: 192.207.173.213

Dec 10 15:44:52 liz sshd[1980]: log: Connection from 211.120.48.7 port 3409
Dec 10 15:44:57 liz sshd[1980]: log: Could not reverse map address
211.120.48.7.
Dec 10 15:44:57 liz sshd[1980]: fatal: Did not receive ident string.
What is the significance of port 3409? It's not one of the "well known
ports". I don't think I'm providing a service on 3409.
I can trace 211.120.48.7 back to shinkawa.jp but I can't get anything with
nslookup.

All day long I've been getting:
Dec 10 19:20:44 liz kernel: eth0: tx interrupt but no status
Dec 10 17:05:58 liz kernel: eth0: tx interrupt but no status
Dec 10 17:09:58 liz kernel: eth0: tx interrupt but no status
Dec 10 17:10:00 liz CROND[5584]: (root) CMD ( /sbin/rmmod -as)
Dec 10 17:10:15 liz kernel: eth0: tx interrupt but no status
Dec 10 17:12:25 liz kernel: eth0: tx interrupt but no status
Dec 10 17:20:00 liz CROND[7074]: (root) CMD ( /sbin/rmmod -as)
Dec 10 17:30:00 liz CROND[7523]: (root) CMD ( /sbin/rmmod -as)
Dec 10 17:33:24 liz kernel: 202.101.5.90 sent an invalid ICMP error to a
broadcast.
Dec 10 17:33:27 liz kernel: 202.101.5.90 sent an invalid ICMP error to a
broadcast.
Dec 10 17:37:05 liz kernel: eth0: tx interrupt but no status
Dec 10 17:53:26 liz kernel: eth0: tx interrupt but no status
Dec 10 17:54:01 liz kernel: eth0: tx interrupt but no status
Dec 10 17:54:02 liz fingerd[9511]: rejected @ebille.cudenver.edu
Dec 10 17:54:12 liz fingerd[9579]: rejected @ebille.cudenver.edu
Dec 10 17:54:15 liz fingerd[9604]: rejected @ebille.cudenver.edu
Dec 10 18:12:00 liz kernel: eth0: tx interrupt but no status
Dec 10 18:16:14 liz last message repeated 4 times
Dec 10 18:18:13 liz kernel: eth0: tx interrupt but no status
Dec 10 18:19:29 liz last message repeated 5 times

It appears they've been hammering on the system but as far as I can tell
they haven't compromised the system yet.  I don't want to take the system
off line but I am concerned. Is anyone else experiencing this kind of
activity? Is it anything to be concerned about?

Thanks,
Paul
http://bille.cudenver.edu/author/




More information about the LUG mailing list