[NTLUG:Discuss] Weird Messages

Kipton Moravec kmoravec at airmail.net
Wed Jan 3 10:34:24 CST 2001 

> There is a known kprintf() format bug that causes the klogd daemon to
crash
> (particularily with firewall).  Pick up another update for "syslog"

Where do I find an update for syslog?   This is a Mandrake 7 Linux system.

>
> >
> > 4. Are these IP addresses of interest to someone?  Should I
> > report them to
> > someone?
>
> Nope.  Since you've blocked them all, no intrusion occurred.  Nothing to
> report.

That is interesting. You should not report attempts, only successes.  That
seems like not reporting attempted murder, but reporting only if they are
successful at comitting a murder.  Come to think of it, you can be convicted
for trying to hire someone to comit the murder for you, even if nothing
happens.

>
> >
> > 5. Now what should I do next?
> >
>
> Start with http://bastille-linux.sourceforge.net/  for starter.  It is the
> best start for beginner to tighten up the firewall in the quickest manner.
>

I just got a book on firewalls and I am going to try to learn it better.  I
had Jay Ulrich (NTLUG member) set mine up, mostly because I have been too
busy to learn it myself.  However it appears there are a couple of minor
problems.  Fortunately

>
> As how I track down these information (quickly), I used "nslookup" to type
> in the IP address.  If that failed, I used
> http://www.arin.net/whois/index.html to find out who owns the block.  If
it
> was a successful intrusion, then I send off an abuse@<insert-isp-name>.com
> then add the offending IP address to my /etc/hosts.deny (not to mention
> rebuilding and clamping down security a bit more).
>

Is there a database of "known" hacking sites, that should be in a hosts.deny
file, or is it too big to be practical?

>
> Three ping attempts (PROTO=1) from
r1-fe2-0.plano1.tx.home.net(65.10.47.1)
> failed (Tsk, tsk, tsk; I think this is Bart)
>
> Two FTP attempts (PROTO=6, TCP, :21) from 213-193-182-107.adsl.easynet.be
> failed.  (Stephan of Alcatel, you've been flagged!)
>
> One FTP attempt from
> adsl-207-105-159-130.dsl.lsan03.pacbell.net(207.105.159.130) failed.
> (Chris, your machine has been hacked!)
>
> I have a mini-database of these attempts on my machine as well.  Sometime
> with ISP's assistance, I can send an email directly to them.

Did I understand that the same IP addresses have tried your machine also?

Are you being funny, or did you really know these are "Bart", "Stephen of
Alcatel" and "Chris"?

Kip

More information about the Discuss mailing list