I've seen connections from the very same host. Can't remember if it was
rlogin or telnet, though.
-John ( jmcphail @
mail .
kcstar .
com )
On Fri, 12 Apr 1996, Brian Feeny wrote:
> The other day we had something very strange happen:
>
> We are a small ISP, with 32 dialup customers and about 40 inside machines
> on an ethernet. Our pipe to the internet has a Cisco 2501 on it.
>
> The Cisco is configured to block EVERYTHING coming into our machien
> except pcnfs,www,nntp,pop3,smtp,dns,ftp. ALL of the R-Commands are disabled
> as well. Yet, in the logs there was somethign to the effect of:
>
> 2 LOGIN FAILURES from big10.metrobbs.com
>
> How is this possbile? How could they have accessed login? This error
> message was NOT an ftp error message. Also we did NOT have source
> routing disabled on the 2501 at the time, however, if they were pulling
> that crap I don't think it would have shown them coming from metrobbs.com.
>
> NOTE: I am NOT talking about "netjam.net". The domain I am talking about
> it "softdisk.com". Our router is link.softdisk.com, and our server that
> had the login failures was server1.softdisk.com.
>
> Any ideas? Someone mentioned before something about this possibly being
> an ip fragment attack or something.
>
>
> -------------------------------------------------------------------------
> Brian Feeny http://www.netjam.net signal @
netjam .
net
> NetJAM Communications Network Consulting (318) 798-9324
> UNIX -- Internetworking -- Security -- Programming -- Troubleshooting
> PGP Key: finger signal @
netjam .
net
>
>
References:
|
|
