[Dshield] unknown attack vs linux server

Jim McCullough jim.mccullough at gmail.com
Sun Oct 2 18:33:08 GMT 2005


That is the only information I could get initially and I have tried several
times. Apparently the person that was supposed to be handling sys admin for
the machine has become unavailable since about 6pm PDT.

On 10/2/05, jayjwa <jayjwa at atr2.ath.cx> wrote:
>
>
> On Sat, 1 Oct 2005, Jim McCullough wrote:
>
> -> I was posed with an interesting question earlier today and have not
> been
> -> given access to the equipment. The owner of the company is not the most
> ....
> -> um .... enlightened, yeah, enlightened on what NOT to do. ie. Not
> -> broadcasting that the script kiddies and crackers can have their way
> and
> -> they wont stop him ( paraphrased ). kernel version is 2.6.10. The
> system
> -> admin is about as helpful as a box of rocks. Attached is a copy of the
> -> screenshot the sysadmin sent to the company owner. Anyone got a hint of
> an
> -> idea of anything that can cause a tcp stack overflow on 2.6.10? The sys
> -> admin was quoted as saying it was a "Ping of Death attack". No ids logs
> or
> -> packet captures to backup this information.
>
> I highly doubt any even semi-modern linux distro is vuln. to "Ping of
> Death attack". There was nothing attached in the copy that I got of this
> mail list, so I don't have that to go on either, but if I'm not mistaken
> that kernel sounds old to me and likely there are more than one issues
> that effects it. Other than that, I hate to think what could go on on a
> linux box run by someone of this caliber.
>
> It could be almost anything, I'm guessing someone attempted an exploit of
> something, over the network. What about running daemons? Old versions,
> recently discovered vulnerabilities? It would help to have a port number,
> or anything really, to go on. Maybe someone's aiming for the new X11 issue
> (CAN-2005-2495)?
>
>
> --
> / / __ __ __ __ __ __ __ svatre 4 tct/fzvzr
> / /__ / / / \/ / / /_/ / \ \/ / naq pbagnpg vasb.
> /_____/ /_/ /_/\__/ /_____/ /_/\_\ ::[ATr2 RG 2005]::
> _________________________________________
> Using .Net? Need to know more about .Net Security?
> http://isc.sans.org/banner_count.php?dest=dotnet
>
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>



--
Jim McCullough


More information about the list mailing list