Email address obfuscation in effect -- please
click here to turn it off.
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
I logged on to one of our Sun machines (at Mizzou) a little while ago and
when I ran 'ps' saw a strange result:
# ps
/usr/bin/mc68020: syntax error at line 1: `@\212\EMAIL:PROTECTED@EMAIL:PROTECTED@^A^X^A^X^C^D^AX^Y^A^E^Az\z^P^A^Gz' unexpected
That concerned me a lot so I looked at the inode date on /usr/bin/ps and
found that it had been created this morning:
# ls -lAFc /usr/bin/ps
total 18
-r-xr-xr-x 35 root other 5256 Feb 13 06:21 /usr/bin/ps*
Then I looked at /usr/local/bin/iplog.log and found that the attack came
from Sweden and used some unfamiliar (to me) protocols:
Feb 13 06:19:47 TCP: dtspc connection attempt from as1-5-8.han.s.bonet.se:3086
Feb 13 06:19:47 TCP: dtspc connection attempt from as1-5-8.han.s.bonet.se:3097
Feb 13 06:19:59 TCP: rje connection attempt from as1-5-8.han.s.bonet.se:3199
Feb 13 06:21:35 TCP: rje connection attempt from as1-5-8.han.s.bonet.se:3927
So looks to me like we were rooted by some Swede, or by a computer in
Sweden anyway.
If any of you know about this attack and how to deal with it, especially
how to *prevent* it, please let me know.
Mike
Michael B. Miller, Ph.D.
Division of Epidemiology
University of Minnesota
1300 S. Second Street, Suite 300
Minneapolis, MN 55454-1015
Phone: (612) 625-7836
web: http://taxa.epi.umn.edu/~mbmiller/
--
To unsubscribe, go to http://mlug.missouri.edu/members/edit.php
Archives are available at http://mlug.missouri.edu/list-archives/
Home | FAQ | Server | Presentations | Mailing Lists/Archives | Member Tools | Links | Sponsors | Contact