Is this being broken into? If so, what do I look for?
This is one line. There were quite a few.
May 6 03:22:36 gateway SERVER[5344]: Dispatch_input: bad request line
'BBàóÿ¿áóÿ¿âóÿ¿ãóÿ¿XX%.160u%300$n%.17u%301$nsecurity%302$n%.192u%
303$n\220\220\220\220\220\220\220\220\220\220\2
John Summerfield ([EMAIL PROTECTED]) said:
> Is this being broken into? If so, what do I look for?
> This is one line. There were quite a few.
> May 6 03:22:36 gateway SERVER[5344]: Dispatch_input: bad request line
This is someone trying to break into LPRng, as I recall - I believe
if you get
> John Summerfield ([EMAIL PROTECTED]) said:
> > Is this being broken into? If so, what do I look for?
> > This is one line. There were quite a few.
> > May 6 03:22:36 gateway SERVER[5344]: Dispatch_input: bad request line
>
> This is someone trying to break into LPRng, as I recall - I believe
Just an FYI. You will find that your site(s) is(are) being attacked
constantly. This is not due to any misconfiguration on your part but just a
fact of life when you connect a PC to the internet. One of the best things
you can do is run security checks on your systems. Take a look at nessus.
Y
> Just an FYI. You will find that your site(s) is(are) being attacked
> constantly. This is not due to any misconfiguration on your part but just a
Thanks for your reply. The immediate concern is whether there is any residual damage
now. Longer term we're considering another box (I have it her
What program/process corresponds to the "SERVERS[5344]" log?
To protect portmap (and other daemon), I would make sure that your firewall
blocks any unwanted traffc for services that you don't want available to the
'net.
As extra protection - firewalls can become misconfigured; I found this out
--- Lars Nordin <[EMAIL PROTECTED]> wrote:
> Of course the best protection is to turn off and may
> be uninstall servers
> (services) that you won't be using.
And for an extra, extra layer of protection, if you
have the resources available, you should make each
device on your network and "appli
John,
On Thu, 16 May 2002, John Summerfield wrote:
>
> Is this being broken into? If so, what do I look for?
You got already quite good answers, but just in case
you would like to check more the system you can find good
information from SANS site and Dave Dittrich's forensic
page
http://rr.sans
> What program/process corresponds to the "SERVERS[5344]" log?
That I don't know.
This is not my system; I was called in after the event (well after) to discover
and repair.
Securing the system will likely be done with another system between this and the
world, and the additional system wi
