Security Incidents mailing list archives
Re: Large scans in progress...
From: Ryan Russell <ryan () SECURITYFOCUS COM>
Date: Wed, 13 Sep 2000 15:41:35 -0700
On Tue, 12 Sep 2000, UnixGeek wrote:
Attack is underway with synscan(which Snort missed specifically, though it did flag the scan). Means of entry is unknown, but it looks similar to the ingreslock exploit. System is RH 6.2. Output below is from my trip to the system(which raises the legitimate question -- if I'm investigating the perpetration of a crime[or attempted crime] against myself or my property, am I as culpable as the person who broke into the system and used it for a malicious purpose?
Quite possibly. If there is a prosecutor running around somewhere that has it in for you in your home jurisdiction, this could be enough for them to make your life suck. It's still unauthorized entry even if it was dead simple and you werent the first. The inter-country thing could work to your advantage because they can't touch you here, or it could be a disadvantage because a local prosecutor could decide that you're in trouble even if the real admin later decides he didn't mind. I believe you could get nailed for unauthorized entry because you didn't seem to have authorization at the time.
[the thought of killing off all the synscans, killing inetd and bailing crossed my mind, to stop the abuse, but then that might affect evidentiary proceedings, no?].
Too late. You've already done some minor messing up of the place... a couple of access-times have been modified, though that looks non-critical here (looks like the files were probably being written to constantly?) Or maybe you're the original culprit, just trying to cover your ass in a public forum, because it looked like someone was on to you? We can't tell the difference.
-----------wheee------------ telnet 62.0.56.66 1 Trying 62.0.56.66... Connected to 62.0.56.66. Escape character is '^]'. bash# ls
There's a bash shell running open on port 1? (Or maybe was.. machine isn't pingable right this sec.) Ryan
Current thread:
- Large scans in progress... UnixGeek (Sep 13)
- Re: Large scans in progress... Russell Fulton (Sep 14)
- Re: Large scans in progress... Russel Smith (Sep 14)
- Re: Large scans in progress... Ryan Russell (Sep 14)
- Re: Large scans in progress... Jon Lewis (Sep 14)
- Re: Large scans in progress... Russell Fulton (Sep 14)