No subject


Tue Jun 4 12:17:20 MDT 2013


have caused a crash. From the very sketchy info I found, it seems that
this is a left-over message from then. It still is useful, indicating a
possible packet overrun, which in turn might mean just too much traffic
for real, or someone doing malicious things. I suspect that other
indications will show up if it is accompanied by buffer overflow
attacks, though a successful buffer overflow could result in lost
control and lost logs before you see it (then again, once a successful
rooting has been done, you would expect the attacks to stop).
Personally, I'd set up a firewall rule to deny all traffic to or from
www.qldwide.net.au, or maybe even the /24 of its ip.

> 
> > Dec 10 18:12:00 liz kernel: eth0: tx interrupt but no status
> > Dec 10 18:16:14 liz last message repeated 4 times
> 
> I'm concerned because I interpret these messages to indicate someone is
> trying to get mal formed packets through my ethernet connection.  I had a
> system subjected to a BIND overflow attack and the syslog was filled with
> "eth0: tx interrupt but no status"  I may be reading too much into this but
> I'm concerned.

If BIND is visible to everyone on the Internet, and you do not have the
absolutely newest version, you probably are rooted. Possibly used as the
*source* of a flood attack. There are other ports as well to look out
for, that if they do not have the absolutely newest software behind
them, they are also sources of being rooted. The NFS stuff and lpd come
to mind.

> 
> >  . . . I track them down and report them to all technical contacts . . .
> 
> I'm trying to figure out what's going on and where it's coming from.
> Unfortunately an IP isn't logged with the eth0 interrupt.  Getting weird
> e-mail messages like the one I got from the Australian photographer just
> confuse the issue.  The scans seem to have stopped as of about 20:00 Rocky
> Mountain Time.  I hope they've stopped for good.

Save the email and view the full header, don't go by what the email
appears to be looking directly at it.

D. Stimits, stimits at idcomm.com

> 
> Thanks,
> Paul
> http://bille.cudenver.edu/author
> 
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug



More information about the LUG mailing list