-----BEGIN PGP SIGNED MESSAGE-----
Hello.
I helped a good friend do some basic security on this small business
webserver a while back.
Tonight I received a message from him stating that it something was
up and he didn't quite understand it.
His eth0 device was put into promisc, as I told him, an obvious sign
the box was owned somehow.
The only things I was able to dig out of the logs was:
httpd log:
195.188.192.12 - - [03/Jan/2000:00:05:46 -0800] "HEAD / HTTP/1.1" 200
0
(resolves to zanussi.netcraft.com)
then syslog:
Jan 4 15:58:54 [boxname] kernel: eth0: Setting promiscuous mode.
Jan 4 15:58:54 [boxname] kernel: device eth0 entered promiscuous
mode
Jan 4 15:58:55 [boxname] kernel: eth0: Setting promiscuous mode.
Jan 4 15:58:55 [boxname] kernel: device eth0 left promiscuous mode
(All clock times approx. 20 min off from Pacific time)
A quick run over to my favorite 0day site gave me only a local
exploit for his OS (Mandrake 6)
All daemons that were running were the latest version, and those were
minimal, taking my security advice. I cant get an exact list or any
further data right now, it appears he 'eth0 down'ed the box.
My questions for the list:
1. is netcraft.com being used it some mass scan for a httpd related
or other remote overflow?
2. Is Mandrake 6 obviously vulnerable to something I'm not aware of?
Thanks,
Mike
Security and stuff. Hire me.
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.2
iQCVAwUBOHL/IXdViB0XYAcrAQHczwP/WFqcmtLDccPI3R8LDVXsQk3IDYyFQLe9
Yfr0Yz5y5ks3493tabI2eAoUdLVRN1pqoH9wrrrs8zdRuOp3Xk3rdL2CD+dV5E+g
etheVtFnUsKSfuirUwMMpbDVrzDxsW2lrpNSUJ83Ft90hONaG89bIo00ofeHvq1m
u+pZdbX8RJw=
=N2kW
-----END PGP SIGNATURE-----
Received on Jan 05 2000
Intro
