Something one can do against an IP beeing used for attacks?
Hi there, found lots of this in my log: Dec 9 14:58:50 encoco sshd[27696]: connect from root@IP Dec 9 14:58:50 encoco sshd[27696]: log: Connection from IP port 3756 Dec 9 14:58:50 encoco sshd[27696]: log: Could not reverse map address IP. Dec 9 14:59:00 encoco sshd[27696]: fatal: Local: crc32 compensation attack: network attack detected I have changed IP in above. Something one can do against this IP beeing used for attacks? Or, uncover the person behind? regards Rowald
On Wednesday 12 December 2001 08:50, Rowald Kade wrote:
found lots of this in my log:
Dec 9 14:58:50 encoco sshd[27696]: connect from root@IP Dec 9 14:58:50 encoco sshd[27696]: log: Connection from IP port 3756 Dec 9 14:58:50 encoco sshd[27696]: log: Could not reverse map address IP. Dec 9 14:59:00 encoco sshd[27696]: fatal: Local: crc32 compensation attack: network attack detected
I have changed IP in above.
Something one can do against this IP beeing used for attacks? Or, uncover the person behind?
First step - Don't walk, *run* and get the latest ssh updates installed on this system. I recently had a server cracked, rooted and owned by someone using the latest ssh exploits. Log entries with "crc32 compensation" occured just before it got taken over. Please see: http://www.suse.com/de/support/security/2001_045_openssh_txt.txt http://www.suse.com/de/support/security/2001_044_openssh_txt.txt http://staff.washington.edu/dittrich/misc/ssh-analysis.txt for info. Also, make sure you have ssh1 "fall-back" disabled. As for tracking down a responsible party for the IP address in question, I like spamcop.net's host tracker, or samspade.org. Best of luck with it - I sincerely hope your experience proves to be better than mine.
participants (2)
-
naurgrim -
Rowald Kade