[lug] eth0: tx interrupt but no status
Paul Bille
paul at ebille.cudenver.edu
Mon Dec 10 23:18:46 MST 2001
Dan,
Thanks for the feed back.
One clarification, I am on the cudenver.edu domain. Randy Hagan is my
sysadmin.
The rpc.mountd: export request came from 192.207.173.213 j30.engr.subr.edu
which is Southern University Baton Rouge. This may or may not be related to
the "eth0: tx interrupt" stuff
I interpret the
> Dec 10 17:54:02 liz fingerd[9511]: rejected @ebille.cudenver.edu
messages to indicate MY system is rejecting finger request for invalid
users. I think someone is looking for usernames.
> . . . makes me roll my eyes back and laugh . . .
You're right. I traced the e-mail address back to a photographer in
Australia. He doesn't appear to be a sophisticated user but then what do I
know?
http://www.qldwide.net.au/~garryw/page3.html - Garry Williamson
I'm not worried about him or the finger request (except in the context of
username searches) but I am concerned about the "eth0: tx interrupt but no
status"
> Dec 10 18:12:00 liz kernel: eth0: tx interrupt but no status
> Dec 10 18:16:14 liz last message repeated 4 times
I'm concerned because I interpret these messages to indicate someone is
trying to get mal formed packets through my ethernet connection. I had a
system subjected to a BIND overflow attack and the syslog was filled with
"eth0: tx interrupt but no status" I may be reading too much into this but
I'm concerned.
> . . . I track them down and report them to all technical contacts . . .
I'm trying to figure out what's going on and where it's coming from.
Unfortunately an IP isn't logged with the eth0 interrupt. Getting weird
e-mail messages like the one I got from the Australian photographer just
confuse the issue. The scans seem to have stopped as of about 20:00 Rocky
Mountain Time. I hope they've stopped for good.
Thanks,
Paul
http://bille.cudenver.edu/author
More information about the LUG
mailing list