Re: [suse-security] telnet and su attack on my linux
Oh, and I forgot:
notify the Admins (can be found via whois-llokups) of the systems you suppose were the attackers. If the attacks really originated there, those systems are most likely cracked and under enemies control, too.
cya,
Stefan
Ya, I did it, but rr.com seems to be a big provider in US, so the cracker could hide his attack in the dynamic IP-Adress Gerd
On Fri, 17 Sep 1999 gbruchhaus@makrolog.de wrote:
Ya, I did it, but rr.com seems to be a big provider in US, so the cracker could hide his attack in the dynamic IP-Adress
Normally it should be possible for a provider to identify his client by IP-adress, date and time. Peter -- ******************************************* URL: http://gmv.spm.univ-rennes1.fr/~peter/ *******************************************
There are alot of possibilites here. The cracker could have 1) broken into
the isp and stolen an account 2) broken into a dial up user's box and
attacked from there 3) stolen a dial up users password. In any case the ISP
needs to know about it, and should be able to figgure out what happend, if
they are clever.
scott
----- Original Message -----
From: Peter Münster
On Fri, 17 Sep 1999 gbruchhaus@makrolog.de wrote:
Ya, I did it, but rr.com seems to be a big provider in US, so the cracker could hide his attack in the dynamic IP-Adress
Normally it should be possible for a provider to identify his client by IP-adress, date and time. Peter
--
******************************************* URL: http://gmv.spm.univ-rennes1.fr/~peter/ *******************************************
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
rr.com is a cable ISP (Road Runner), so its much more likely that it is a static (or only mildly dynamic) IP address. D At 12:05 PM 9/17/99 -0500, scott wrote:
There are alot of possibilites here. The cracker could have 1) broken into the isp and stolen an account 2) broken into a dial up user's box and attacked from there 3) stolen a dial up users password. In any case the ISP needs to know about it, and should be able to figgure out what happend, if they are clever.
scott
----- Original Message ----- From: Peter Münster
To: Cc: Sent: Friday, September 17, 1999 6:44 AM Subject: Re: [suse-security] telnet and su attack on my linux On Fri, 17 Sep 1999 gbruchhaus@makrolog.de wrote:
Ya, I did it, but rr.com seems to be a big provider in US, so the cracker could hide his attack in the dynamic IP-Adress
Normally it should be possible for a provider to identify his client by IP-adress, date and time. Peter
--
******************************************* URL: http://gmv.spm.univ-rennes1.fr/~peter/ *******************************************
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Ah, cable modems. A lot of cable modem users use WinGate to split their
bandwidth without buying additional IP addresses. The problem with that is
WinGate has a telnet proxy with no authentication installed by default (I'm
sure most of you have heard of this) and allows an attacker to "bounce"
around. Also, I think *nix boxes are a lot more common on cable modems than
they are on dial up, so the attacker could have broken into an innocent
users machine and attacked from there.
The point of all this is, just cause you see and IP address in your logs
does not mean that is the attackers true point of origin.
scott
----- Original Message -----
From: Derek Balling
There are alot of possibilites here. The cracker could have 1) broken into the isp and stolen an account 2) broken into a dial up user's box and attacked from there 3) stolen a dial up users password. In any case the ISP needs to know about it, and should be able to figgure out what happend, if they are clever.
scott
----- Original Message ----- From: Peter Münster
To: Cc: Sent: Friday, September 17, 1999 6:44 AM Subject: Re: [suse-security] telnet and su attack on my linux On Fri, 17 Sep 1999 gbruchhaus@makrolog.de wrote:
Ya, I did it, but rr.com seems to be a big provider in US, so the cracker could hide his attack in the dynamic IP-Adress
Normally it should be possible for a provider to identify his client by IP-adress, date and time. Peter
--
******************************************* URL: http://gmv.spm.univ-rennes1.fr/~peter/ *******************************************
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
On Fri, 17 Sep 1999 gbruchhaus@makrolog.de wrote:
Ya, I did it, but rr.com seems to be a big provider in US, so the cracker could hide his attack in the dynamic IP-Adress
Normally it should be possible for a provider to identify his client by IP-adress, date and time. Peter
rr.com (RoadRunner) is a cable system ISP. They provide access on cable TV networks here in the U.S. Although the IPs are dynamic they change very rarely. ISPs are required to keep connection logs here in the U.S. rr.com does not offer dial up so it should be very easy to track. Cable modems are a high source of abuse. If the legitimate person on the network was not directly responsible for the attack he/she has allowed a malicious person to use their connection by have a poorly administered machine or by using some stupid program like wingate that is improperly installed/configured. I recommend denying all traffic from *rr.com and *home.com. Too many children with high speed access that have nothing better to do than break into your machines. Mario
At 11:40 AM 9/17/99 -0700, you wrote:
rr.com (RoadRunner) is a cable system ISP. They provide access on cable TV networks here in the U.S. Although the IPs are dynamic they change very rarely. ISPs are required to keep connection logs here in the U.S.
No they're not. Cite the law on that please. We do it, because we're good members of the community, but ISP's are unregulated and there are no logging requirements near as I can tell.
I recommend denying all traffic from *rr.com and *home.com. Too many children with high speed access that have nothing better to do than break into your machines.
That would also break lots of GOOD users, like myself. :) I recommend denying traffic from ALL outside locations, except those you need and those you need to be "public" (smtp and http) D
On Fri, 17 Sep 1999 you wrote:
Oh, and I forgot:
notify the Admins (can be found via whois-llokups) of the systems you suppose were the attackers. If the attacks really originated there, those systems are most likely cracked and under enemies control, too.
cya,
Stefan
Ya, I did it, but rr.com seems to be a big provider in US, so the cracker could hide his attack in the dynamic IP-Adress
Gerd
Don't they have log-files for WHO-GETS-WHICH-IPNUMBER-AT-WHAT-TIME? Greets Martin
participants (6)
-
Derek Balling
-
gbruchhaus@makrolog.de
-
Martin P. Peikert
-
Mr. M
-
Peter Münster
-
scott