[Dshield] unknown attack vs linux server

jayjwa jayjwa at atr2.ath.cx
Sun Oct 2 12:42:32 GMT 2005


On Sat, 1 Oct 2005, Jim McCullough wrote:

-> I was posed with an interesting question earlier today and have not been
-> given access to the equipment. The owner of the company is not the most ....
-> um .... enlightened, yeah, enlightened on what NOT to do. ie. Not
-> broadcasting that the script kiddies and crackers can have their way and
-> they wont stop him ( paraphrased ). kernel version is 2.6.10. The system
-> admin is about as helpful as a box of rocks. Attached is a copy of the
-> screenshot the sysadmin sent to the company owner. Anyone got a hint of an
-> idea of anything that can cause a tcp stack overflow on 2.6.10? The sys
-> admin was quoted as saying it was a "Ping of Death attack". No ids logs or
-> packet captures to backup this information.

I highly doubt any even semi-modern linux distro is vuln. to "Ping of 
Death attack". There was nothing attached in the copy that I got of this 
mail list, so I don't have that to go on either, but if I'm not mistaken 
that kernel sounds old to me and likely there are more than one issues 
that effects it. Other than that, I hate to think what could go on on a 
linux box run by someone of this caliber.

It could be almost anything, I'm guessing someone attempted an exploit of 
something, over the network. What about running daemons? Old versions, 
recently discovered vulnerabilities? It would help to have a port number, 
or anything really, to go on. Maybe someone's aiming for the new X11 issue 
(CAN-2005-2495)?


-- 
    / /     __  __  __  __  __ __  __ svatre 4 tct/fzvzr
   / /__   / / /  \/ / / /_/ / \ \/ / naq pbagnpg vasb.
  /_____/ /_/ /_/\__/ /_____/  /_/\_\ ::[ATr2 RG 2005]::


More information about the list mailing list