Security Incidents mailing list archives
Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd)
From: Valdis.Kletnieks () VT EDU (Valdis Kletnieks)
Date: Thu, 6 Jul 2000 19:49:53 -0400
On Thu, 06 Jul 2000 10:27:13 PDT, Elias Levy <aleph1 () SECURITYFOCUS COM> said:
Jun 30 20:01:23 dhcp009 kernel: Packet log: input DENY eth0 PROTO=6
XX.xxx.XXX.xx:2517 YY.yyy.YY.yy:21 L=60 S=0x00 I=9704 F=0x4000 T=52 SYN
Jun 30 20:03:23 dhcp009 kernel: Packet log: input DENY eth0 PROTO=6
XX.xxx.XXX.xx:2517 YY.yyy.YY.yy:21 L=60 S=0x00 I=9977 F=0x4000 T=52 SYN
...
Note the spacing of the timestamp and the number of attempts. I have seen this across several non-related IP addresses .... And have also have logs showing
Depending on the IP stack at the other end, and exactly what you send back
on the DENY, that *could* all be *one* attempted connection - the other
end sends you a TCP SYN, if you're silent the other end's TCP retransmit
timer will re-send the SYN after some amount of time...
--
Valdis Kletnieks
Operating Systems Analyst
Virginia Tech
<HR NOSHADE>
<UL>
<LI>application/pgp-signature attachment: stored
</UL>
Current thread:
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Elias Levy (Jul 06)
- <Possible follow-ups>
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Elias Levy (Jul 06)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Elias Levy (Jul 06)
- Re: [RHSA-2000:039-02] remote root exploit (SITE EXEC) fixed (fwd) Valdis Kletnieks (Jul 06)