Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
Re: [suse-security] Something one can do against an IP beeing used for attacks?
On Wednesday 12 December 2001 08:50, Rowald Kade wrote:

> found lots of this in my log:
>
> Dec 9 14:58:50 encoco sshd[27696]: connect from root@IP
> Dec 9 14:58:50 encoco sshd[27696]: log: Connection from IP port 3756
> Dec 9 14:58:50 encoco sshd[27696]: log: Could not reverse map address IP.
> Dec 9 14:59:00 encoco sshd[27696]: fatal: Local: crc32 compensation
> attack: network attack detected
>
> I have changed IP in above.
>
> Something one can do against this IP beeing used for attacks? Or, uncover
> the person behind?

First step -

Don't walk, *run* and get the latest ssh updates installed on this system. I
recently had a server cracked, rooted and owned by someone using the latest
ssh exploits. Log entries with "crc32 compensation" occured just before it
got taken over.

Please see:

http://www.suse.com/de/support/security/2001_045_openssh_txt.txt

http://www.suse.com/de/support/security/2001_044_openssh_txt.txt

http://staff.washington.edu/dittrich/misc/ssh-analysis.txt

for info. Also, make sure you have ssh1 "fall-back" disabled.

As for tracking down a responsible party for the IP address in question, I
like spamcop.net's host tracker, or samspade.org.

Best of luck with it - I sincerely hope your experience proves to be better
than mine.

< Previous Next >
This Thread
References