[NTLUG:Discuss] How does this happen?
MadHat
madhat at unspecific.com
Thu Sep 30 09:18:12 CDT 1999
Kelly Scroggins wrote:
>
> I found this in my /var/log/secure file today. I've never seen this
> type of entry before.
>
> Anyone know how an attacker can make this happen?
>
> Sep 29 04:34:41 c55493-a in.telnetd[6471]: refused connect from unknown
> Sep 29 04:34:41 c55493-a in.telnetd[6472]: warning: can't get client
> address: Connection reset by
> peer
> Sep 29 04:34:41 c55493-a in.telnetd[6472]: refused connect from unknown
> Sep 29 04:34:41 c55493-a in.telnetd[6473]: warning: can't get client
> address: Connection reset by
> peer
looks like a recent exploit on Linux...
"Linux Kernel 2.2.x ISN Vulnerability
...
A weakness within the TCP stack in Linux 2.2.x kernels has been
discovered. The vulnerability makes it possible to "blind-spoof" TCP
connections.
It's therefore possible for an attacker to initiate a TCP connection
from an arbitrary non existing or unresponding IP source address,
exploiting IP address based access control mechanisms.
Linux 2.0.x kernels were tested against this attack and found not to
be vulnerable in any case.
..."
It is fixed in 2.2.13pre13
and there is a patch ..
--
MadHat
More information about the Discuss
mailing list