Mailinglist Archive: opensuse-security (320 mails)

< Previous Next >
Re: [suse-security] New(?) exploit for webservers?
  • From: keith@xxxxxxxxxxxxxxxxxxxxxxxx
  • Date: Sun, 11 May 2003 13:11:49 +0000 (GMT)
  • Message-id: <Pine.LNX.4.44.0305111302490.950-100000@xxxxxxxxxxx>


I noticed these dropped connection attempts recently to port 80 on my
machine with a dynamic dial-in ISP account, from IPTables log output.

May 7 17:37:21 topaz kernel: DROPPED IN CONNS ON PPP0IN=ppp0 OUT= MAC=
SRC=62.162.87.194 DST=62.64.201.242 LEN=48 TOS=0x00 PREC=0x00 TTL=113
ID=64376 DF PROTO=TCP SPT=1575 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0

May 7 17:37:24 topaz kernel: DROPPED IN CONNS ON PPP0IN=ppp0 OUT= MAC=
SRC=62.162.87.194 DST=62.64.201.242 LEN=48 TOS=0x00 PREC=0x00 TTL=113
ID=64611 DF PROTO=TCP SPT=1575 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0

May 7 17:37:25 topaz kernel: DROPPED IN CONNS ON PPP0IN=ppp0 OUT= MAC=
SRC=218.8.150.167 DST=62.64.201.242 LEN=78 TOS=0x00 PREC=0x20 TTL=109
ID=15818 PROTO=UDP SPT=1045 DPT=137 LEN=58

May 7 17:37:30 topaz kernel: DROPPED IN CONNS ON PPP0IN=ppp0 OUT= MAC=
SRC=62.162.87.194 DST=62.64.201.242 LEN=48 TOS=0x00 PREC=0x00 TTL=113
ID=65125 DF PROTO=TCP SPT=1575 DPT=80 WINDOW=16384 RES=0x00 SYN URGP=0


Is each ISP allocated a fixed range of IP addresses for their customers
to use?

Surely each ISP must log who is accessing the net, at what time, and on
which dynamic IP address they own, and pass to their customers?

Is it possible to trace dynamic IP addresses to a particular ISP?

regards Keith Roberts


On Fri, 9 May 2003, Sven 'Darkman' Michels wrote:

> evening,
>
> i noticed some weird logentries in my apache access log:
>
> 57.67.127.228 - - [09/May/2003:02:23:32 +0200] "ãB" 200 6618 "-" "-"
> 57.67.127.228 - - [09/May/2003:02:48:19 +0200] "ãB" 200 6618 "-" "-"
> 57.67.127.228 - - [09/May/2003:03:18:09 +0200] "ãB" 200 6618 "-" "-"
> 66.74.204.40 - - [09/May/2003:03:45:11 +0200] "ãA" 200 6617 "-" "-"
> 66.74.204.40 - - [09/May/2003:03:46:15 +0200] "ãA" 200 6617 "-" "-"
> 66.74.204.40 - - [09/May/2003:03:47:17 +0200] "ãA" 200 6617 "-" "-"
> 217.235.22.155 - - [09/May/2003:03:58:38 +0200] "ãL" 200 6619 "-" "-"
> 217.235.22.155 - - [09/May/2003:03:59:23 +0200] "ãL" 200 6619 "-" "-"
> 200.40.225.210 - - [09/May/2003:03:59:34 +0200] "ã=" 200 6619 "-" "-"
> 217.235.22.155 - - [09/May/2003:04:00:08 +0200] "ãL" 200 6619 "-" "-"
> 217.234.189.246 - - [09/May/2003:04:00:59 +0200] "ã=" 200 6620 "-" "-"
> 80.144.22.228 - - [09/May/2003:04:01:28 +0200] "ãN" 200 6618 "-" "-"
> 217.234.189.246 - - [09/May/2003:04:01:48 +0200] "ã=" 200 6620 "-" "-"
> 80.144.22.228 - - [09/May/2003:04:02:12 +0200] "ãN" 200 6618 "-" "-"
> 217.234.189.246 - - [09/May/2003:04:02:41 +0200] "ã=" 200 6620 "-" "-"
> 80.144.22.228 - - [09/May/2003:04:02:57 +0200] "ãN" 200 6618 "-" "-"
>
> since 8th may they're some of these entries, mostly a few times from
> the same ip and the requests change a bit. Anybody has seen that before?
> or know anything about it? I quickchecked bugtraq for something like
> that but didn't found something.
>
> Regards,
> Sven
>
>
> --
> Check the headers for your unsubscription address
> For additional commands, e-mail: suse-security-help@xxxxxxxx
> Security-related bug reports go to security@xxxxxxx, not here
>
>


< Previous Next >