Re: Scary syslog entries, random breakage

To: Daniel Burrows <dburrows@brown.edu>, debian-hurd@lists.debian.org
Subject: Re: Scary syslog entries, random breakage
From: "Frederico S. Muñoz" <fsmunoz@sdf.lonestar.org>
Date: Sun, 11 Mar 2001 03:31:23 +0000
Message-id: <[🔎] 20010311033123.B21338@alioth.cyberobriga.pt>
In-reply-to: <[🔎] 20010309230221.A719@torrent>; from dburrows@brown.edu on Fri, Mar 09, 2001 at 11:02:21PM -0500
References: <[🔎] 20010309230221.A719@torrent>

On Fri, Mar 09, 2001 at 11:02:21PM -0500, Daniel Burrows wrote:

(...)

> 
>   Unfortunately, the system bought the farm while I was compiling rep for the
> nth time.  So I booted into Linux, let fsck run, checked my mail, and
> restarted the Hurd.  The first thing I noticed was that it failed to boot;
> it looked almost as though it was trying to fsck and failing.  The next thing
> I noticed was that after I booted all the way, I was unable to use the
> network (I got various messages, ranging from "something wicked happened" (apt)
> to "translator died" (ping, I believe))  This seemed a little odd, since the
> networking was working when I shut the system down, so I looked in the
> syslog for clues about why pfinet was unhappy, and..
> 
> Mar  9 19:47:57 torrent in.ftpd[3255]: connect from 62.155.182.148 with IP options (ignored): 01 00 00 00 34 14 02 01 70 82 04 08 01 00 00 00 00 00 00 00 1c 09 02 00 33 0c 18 06 cb 69 01 00 88 14 02 01 c8 07 02 00 37 84 04 08 11 84 04 08 4814 02 01 fa b8 02 01 44 19 02 01 24 79 02 01 28 0c 02 00 8c 14 02 01 f3 dd 00 0 1c 09 02 00 07 00 00 00 00 00 00 00 00 00 00 00 94 14 02 01 c4 19 02 01 65 c5 02 01 1e dd 00 00 c0 18 02 01 c0 14 02 01 60 1c 02 01 60 1c 02 01 07 00 00 00 01 00 00 00 04 9b 04 08 09 00 00 00 37 84 04 08 24 79 02 01 fc 1b 02 01 80 df 00 00 c0 18 02 01 a4 10 02 01 e0 b1 02 01 c8 07
>   Mar  9 19:47:57 torrent in.ftpd[3255]: connect from 62.155.182.148
>   Mar  9 19:47:57 torrent ftpd[3255]: fcntl F_SETOWN: Operation not supported
> 
>   I'm not an expert in security, but that looks like someone was trying to
> do something bad.


FWIW I see that on my logs also, and not only from ftp, but also
telnet, and not from the vois but from my other LAN box. 

I'm pretty sure nobosy broke in my other box and then connected to the
hurd, so this but be something peculiar to the hurd netkit.

Anyway, the strange thing here is the remote IP... anyway it could be
simply a ftp login, not some screwed up packet destined to cause some
sort of overflow.

I have the syslog logs available if anybody what's to see them.

Best Regards,

fsm

-- 
Frederico S. Muñoz		GNU	http://www.gnu.org
fsmunoz@sdf.lonestar.org	Debian	http://www.debian.org

http://sdf.lonestar.org - SDF Public Access Unix Systems

Attachment: pgpYPKYqCoYsd.pgp
Description: PGP signature

Reply to:

References:
- Scary syslog entries, random breakage
  - From: Daniel Burrows <dburrows@brown.edu>

Prev by Date: Re: gcc packages
Next by Date: Re: gcc packages
Previous by thread: Re: Scary syslog entries, random breakage
Next by thread: Re: Scary syslog entries, random breakage
Index(es):
- Date
- Thread