Mailinglist Archive: opensuse-security (685 mails)
| < Previous | Next > |
hacked??
- From: Leen de Braal <ldb@xxxxxxxx>
- Date: Tue, 19 Feb 2002 21:03:00 +0100
- Message-id: <5.1.0.14.0.20020219203505.02d264e0@xxxxxxxxxxxxxxxxxx>
Got this message from my server:
Monitor on l1 for 'Internet and RPC Server'
has detected that the service is down at Tue Feb 19 03:55:01 2002
Checking logs gave me lots of lines like this:
Feb 19 03:44:26 l1 sshd[27929]: fatal: Local: Your ssh version is too old and is no longer supported. Please install a newer version.
Feb 19 03:44:48 l1 sshd[27931]: fatal: Local: Your ssh version is too old and is no longer supported. Please install a newer version.
Feb 19 03:44:59 l1 sshd[27932]: fatal: Local: crc32 compensation attack: network attack detected
Feb 19 03:45:15 l1 sshd[27933]: fatal: Local: crc32 compensation attack: network attack detected
Feb 19 03:46:03 l1 sshd[27979]: fatal: Local: crc32 compensation attack: network attack detected
Feb 19 03:46:20 l1 sshd[27980]: fatal: Local: crc32 compensation attack: network attack detected
Feb 19 03:46:36 l1 sshd[27981]: fatal: Local: crc32 compensation attack: network attack detected
Feb 19 03:46:52 l1 sshd[27983]: fatal: Local: crc32 compensation attack: network attack detected
Feb 19 03:47:08 l1 sshd[27984]: fatal: Local: Corrupted check bytes on input.
Feb 19 03:47:39 l1 sshd[27986]: fatal: Local: crc32 compensation attack: network attack detected
Feb 19 03:54:24 l1 kernel: eth1: Setting Rx mode to 2 addresses.
Feb 19 03:54:24 l1 kernel: eth1: Setting Rx mode to 3 addresses.
Feb 19 03:54:24 l1 kernel: eth1: Setting Rx mode to 4 addresses.
Feb 19 03:54:24 l1 kernel: eth1: Setting Rx mode to 5 addresses.
eth1 is my inside of the firewall.
Also in /var/log/messages around that time:
Feb 19 03:18:53 l1 sshd[27722]: connect from 65.107.153.146 Feb 19 03:18:53 l1 sshd[27722]: log: Connection from 65.107.153.146 port 2934 Feb 19 03:18:54 l1 sshd[27723]: connect from 65.107.153.146 Feb 19 03:18:54 l1 sshd[27723]: log: Connection from 65.107.153.146 port 3401 Feb 19 03:18:55 l1 sshd[27723]: log: Could not reverse map address 65.107.153.146.
Feb 19 03:18:55 l1 sshd[27722]: log: Could not reverse map address 65.107.153.146.
Feb 19 03:18:55 l1 sshd[27723]: fatal: Local: Your ssh version is too old and is no longer supported. Please install a newer version.
Feb 19 03:19:05 l1 sshd[27724]: connect from 65.107.153.146
Feb 19 03:19:05 l1 sshd[27724]: log: Connection from 65.107.153.146 port 3402
Feb 19 03:19:06 l1 sshd[27724]: log: Could not reverse map address 65.107.153.146.
This goes on for different ports.
I tried to host 65.107.153.146, nothing came up. nmapping this host showed port 23 open(???).
In the logs since this afternoon:
Feb 19 13:49:54 l1 kernel: Packet log: input DENY eth0 PROTO=17 192.168.0.1:1106 255.255.255.255:25601 L=36 S=0x00 I=61935 F=0x0000 T=128 (#1)
Feb 19 13:49:54 l1 kernel: Packet log: input DENY eth0 PROTO=17 192.168.0.1:1106 255.255.255.255:25602 L=36 S=0x00 I=61936 F=0x0000 T=128 (#1)
Feb 19 13:49:54 l1 kernel: Packet log: input DENY eth0 PROTO=17 192.168.0.1:1106 255.255.255.255:25603 L=36 S=0x00 I=61937 F=0x0000 T=128 (#1)
Feb 19 13:49:54 l1 kernel: Packet log: input DENY eth0 PROTO=17 192.168.0.1:1106 255.255.255.255:25604 L=36 S=0x00 I=61938 F=0x0000 T=128 (#1)
Feb 19 13:49:54 l1 kernel: Packet log: input DENY eth0 PROTO=17 192.168.0.1:1106 255.255.255.255:25605 L=36 S=0x00 I=61939 F=0x0000 T=128 (#1)
Feb 19 13:49:54 l1 kernel: Packet log: input DENY eth0 PROTO=17 192.168.0.1:1106 255.255.255.255:25606 L=36 S=0x00 I=61940 F=0x0000 T=128 (#1)
Feb 19 13:49:54 l1 kernel: Packet log: input DENY eth0 PROTO=17 192.168.0.1:1106 255.255.255.255:25607 L=36 S=0x00 I=61941 F=0x0000 T=128 (#1)
Feb 19 13:49:54 l1 kernel: Packet log: input DENY eth0 PROTO=17 192.168.0.1:1106 255.255.255.255:25608 L=36 S=0x00 I=61942 F=0x0000 T=128 (#1)
Feb 19 13:49:54 l1 kernel: Packet log: input DENY eth0 PROTO=17 192.168.0.1:1106 255.255.255.255:25609 L=36 S=0x00 I=61943 F=0x0000 T=128 (#1)
Feb 19 13:49:54 l1 kernel: Packet log: input DENY eth0 PROTO=17 192.168.0.1:1106 255.255.255.255:25610 L=36 S=0x00 I=61944 F=0x0000 T=128 (#1)
Feb 19 13:49:54 l1 kernel: Packet log: input DENY eth0 PROTO=17 192.168.0.1:1106 255.255.255.255:25611 L=36 S=0x00 I=61945 F=0x0000 T=128 (#1)
Feb 19 13:49:54 l1 kernel: Packet log: input DENY eth0 PROTO=17 192.168.0.1:1106 255.255.255.255:25612 L=36 S=0x00 I=61946 F=0x0000 T=128 (#1)
Feb 19 13:49:54 l1 kernel: Packet log: input DENY eth0 PROTO=17 192.168.0.1:1106 255.255.255.255:25613 L=36 S=0x00 I=61947 F=0x0000 T=128 (#1)
Feb 19 13:49:54 l1 kernel: Packet log: input DENY eth0 PROTO=17 192.168.0.1:1106 255.255.255.255:25614 L=36 S=0x00 I=61948 F=0x0000 T=128 (#1)
eth0 is my Internet side (cablemodem).
Someone have any idea what exactly was going on? In the mean time I have rebooted the server, and pulled out the plug to the cablemodem. What can I do best?
Rgds
Leen
Monitor on l1 for 'Internet and RPC Server'
has detected that the service is down at Tue Feb 19 03:55:01 2002
Checking logs gave me lots of lines like this:
Feb 19 03:44:26 l1 sshd[27929]: fatal: Local: Your ssh version is too old and is no longer supported. Please install a newer version.
Feb 19 03:44:48 l1 sshd[27931]: fatal: Local: Your ssh version is too old and is no longer supported. Please install a newer version.
Feb 19 03:44:59 l1 sshd[27932]: fatal: Local: crc32 compensation attack: network attack detected
Feb 19 03:45:15 l1 sshd[27933]: fatal: Local: crc32 compensation attack: network attack detected
Feb 19 03:46:03 l1 sshd[27979]: fatal: Local: crc32 compensation attack: network attack detected
Feb 19 03:46:20 l1 sshd[27980]: fatal: Local: crc32 compensation attack: network attack detected
Feb 19 03:46:36 l1 sshd[27981]: fatal: Local: crc32 compensation attack: network attack detected
Feb 19 03:46:52 l1 sshd[27983]: fatal: Local: crc32 compensation attack: network attack detected
Feb 19 03:47:08 l1 sshd[27984]: fatal: Local: Corrupted check bytes on input.
Feb 19 03:47:39 l1 sshd[27986]: fatal: Local: crc32 compensation attack: network attack detected
Feb 19 03:54:24 l1 kernel: eth1: Setting Rx mode to 2 addresses.
Feb 19 03:54:24 l1 kernel: eth1: Setting Rx mode to 3 addresses.
Feb 19 03:54:24 l1 kernel: eth1: Setting Rx mode to 4 addresses.
Feb 19 03:54:24 l1 kernel: eth1: Setting Rx mode to 5 addresses.
eth1 is my inside of the firewall.
Also in /var/log/messages around that time:
Feb 19 03:18:53 l1 sshd[27722]: connect from 65.107.153.146 Feb 19 03:18:53 l1 sshd[27722]: log: Connection from 65.107.153.146 port 2934 Feb 19 03:18:54 l1 sshd[27723]: connect from 65.107.153.146 Feb 19 03:18:54 l1 sshd[27723]: log: Connection from 65.107.153.146 port 3401 Feb 19 03:18:55 l1 sshd[27723]: log: Could not reverse map address 65.107.153.146.
Feb 19 03:18:55 l1 sshd[27722]: log: Could not reverse map address 65.107.153.146.
Feb 19 03:18:55 l1 sshd[27723]: fatal: Local: Your ssh version is too old and is no longer supported. Please install a newer version.
Feb 19 03:19:05 l1 sshd[27724]: connect from 65.107.153.146
Feb 19 03:19:05 l1 sshd[27724]: log: Connection from 65.107.153.146 port 3402
Feb 19 03:19:06 l1 sshd[27724]: log: Could not reverse map address 65.107.153.146.
This goes on for different ports.
I tried to host 65.107.153.146, nothing came up. nmapping this host showed port 23 open(???).
In the logs since this afternoon:
Feb 19 13:49:54 l1 kernel: Packet log: input DENY eth0 PROTO=17 192.168.0.1:1106 255.255.255.255:25601 L=36 S=0x00 I=61935 F=0x0000 T=128 (#1)
Feb 19 13:49:54 l1 kernel: Packet log: input DENY eth0 PROTO=17 192.168.0.1:1106 255.255.255.255:25602 L=36 S=0x00 I=61936 F=0x0000 T=128 (#1)
Feb 19 13:49:54 l1 kernel: Packet log: input DENY eth0 PROTO=17 192.168.0.1:1106 255.255.255.255:25603 L=36 S=0x00 I=61937 F=0x0000 T=128 (#1)
Feb 19 13:49:54 l1 kernel: Packet log: input DENY eth0 PROTO=17 192.168.0.1:1106 255.255.255.255:25604 L=36 S=0x00 I=61938 F=0x0000 T=128 (#1)
Feb 19 13:49:54 l1 kernel: Packet log: input DENY eth0 PROTO=17 192.168.0.1:1106 255.255.255.255:25605 L=36 S=0x00 I=61939 F=0x0000 T=128 (#1)
Feb 19 13:49:54 l1 kernel: Packet log: input DENY eth0 PROTO=17 192.168.0.1:1106 255.255.255.255:25606 L=36 S=0x00 I=61940 F=0x0000 T=128 (#1)
Feb 19 13:49:54 l1 kernel: Packet log: input DENY eth0 PROTO=17 192.168.0.1:1106 255.255.255.255:25607 L=36 S=0x00 I=61941 F=0x0000 T=128 (#1)
Feb 19 13:49:54 l1 kernel: Packet log: input DENY eth0 PROTO=17 192.168.0.1:1106 255.255.255.255:25608 L=36 S=0x00 I=61942 F=0x0000 T=128 (#1)
Feb 19 13:49:54 l1 kernel: Packet log: input DENY eth0 PROTO=17 192.168.0.1:1106 255.255.255.255:25609 L=36 S=0x00 I=61943 F=0x0000 T=128 (#1)
Feb 19 13:49:54 l1 kernel: Packet log: input DENY eth0 PROTO=17 192.168.0.1:1106 255.255.255.255:25610 L=36 S=0x00 I=61944 F=0x0000 T=128 (#1)
Feb 19 13:49:54 l1 kernel: Packet log: input DENY eth0 PROTO=17 192.168.0.1:1106 255.255.255.255:25611 L=36 S=0x00 I=61945 F=0x0000 T=128 (#1)
Feb 19 13:49:54 l1 kernel: Packet log: input DENY eth0 PROTO=17 192.168.0.1:1106 255.255.255.255:25612 L=36 S=0x00 I=61946 F=0x0000 T=128 (#1)
Feb 19 13:49:54 l1 kernel: Packet log: input DENY eth0 PROTO=17 192.168.0.1:1106 255.255.255.255:25613 L=36 S=0x00 I=61947 F=0x0000 T=128 (#1)
Feb 19 13:49:54 l1 kernel: Packet log: input DENY eth0 PROTO=17 192.168.0.1:1106 255.255.255.255:25614 L=36 S=0x00 I=61948 F=0x0000 T=128 (#1)
eth0 is my Internet side (cablemodem).
Someone have any idea what exactly was going on? In the mean time I have rebooted the server, and pulled out the plug to the cablemodem. What can I do best?
Rgds
Leen
| < Previous | Next > |