[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] After checking logs found this...
- Subject: RE: [cobalt-security] After checking logs found this...
- From: "Mark Carey" <mark.carey@xxxxxxx>
- Date: Thu, 6 Sep 2001 13:26:12 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Chae,
this is the kernel telling you that someone sent a malformed packet to
your host. Piece by piece it means: PROTO=6 means that it is a TCP packet
(numbers 6 or 0 == TCP). The L=20 means that the IP header is 20 bytes
long. The S=0x00 means (I think) TCP sequence number 0. I'm not sure what
I means, but F=0x6000 means that the TCP flags are (in binary)
0110000000000000. That translates to TCP SYN and RST being set.
The good news is that the Cobalt/Linux kernel does not appear to be
vulnerable to this attack. I hope this helps.
-Mark Carey
Network Security Engineer,
Sun MicroSystems.
-----Original Message-----
From: cobalt-security-admin@xxxxxxxxxxxxxxx
[mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Render-Vue
Sent: Thursday, September 06, 2001 6:03 AM
To: cobalt-security@xxxxxxxxxxxxxxx
Subject: [cobalt-security] After checking logs found this...
Hi Yah,
This evening after checking my logs I found several attempts to break in via
FTP hacks - but what was unusual and has me a bit concerned is the following
found also in the log:- xxx denoting one of our IP's
Sep 5 20:36:54 ns kernel: Suspect short first fragment.
Sep 5 20:36:54 ns kernel: eth0 PROTO=6 212.113.188.46:0 xxx.xxx.xxx.xxx:0
L=20 S=0x00 I=26716 F=0x6000 T=116 (#0)
The other IP was from one of those IP's trying to get in via FTP
Can someone shed a light on this for me please :>
Regards
Chae
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security