[Ircd] info about ltns and scheduled downtime
kwadronaut
kwadronaut at autistici.org
Wed Dec 19 15:07:23 PST 2007
23:05 <@Alster> hi nenolod
23:05 <@Alster> what's ltns?
23:06 <@Alster> btw, can you tell me about the meaning of syslog entries
like this?
23:07 <@Alster> kernel: Forged DCC command from aaa.aaa.aaa.aaa:
bbb.bbb.bbb.bbb:cccccc
23:07 <@Alster> where the a's and b's are (different) ip addresses and
the c's form a port number
23:08 <@Alster> i hope this is not
http://phrack.org/issues.html?issue=63&id=19&mode=txt
23:09 <@Alster> OSSEC intrusion detection suite claims it is caused by
an IRCD misconfiguration: http://www.ossec.net/rules/?f=syslog_rules.xml
(rule 5110)
23:10 <@Alster> on the other hand, someone reported this as a bug in
netfilters' conntrack
http://lists.netfilter.org/pipermail/netfilter-buglog/2006-February/000513.html
23:11 <@Alster> so i'm not sure which one applies to us, but would like
to reassure its not the nasty one from phrack
23:11 <@Alster> these syslog entries are found on the main server
hosting the guerin ircd
23:13 <@nenolod> forged DCC command is a hostile user on an ircd
23:13 <@nenolod> not a misconfiguration itself
23:38 <@Alster> but both aaa.aaa.aaa.aaa and bbb.bbb.bbb.bbb are remote
IP addresses
23:38 <@Alster> is this to be expected?
23:39 <@Alster> is there something we can do to prevent such commands
from being carried out?
23:52 <@nenolod> Alster, sadly there's not. :(
23:52 <@nenolod> and yes, it is. it means some troll is screwing about
on the irc server.
23:54 <@Alster> it's been happening a couple times along the past months
23:55 <@Alster> ~ 10 such entries along the past 2 months, I would guess
23:55 <@Alster> I guess it may be some script run automatically on
compromised systems...
Day changed to 20 Dec 2007
00:01 <@Alster> gtg, they're closing the internet cafe
00:02 <@Alster> if anyone has the time to dump the above into an email
addressed to ircd at lists.indymedia.org to inform the others, i'd
appreciate it much.
<snip>
00:05 < anarcat> oh, btw, i'll be rebooting the switch tomorrow at
around noon
00:05 < anarcat> so guerin will flash for around 60 seconds (stupid
switch)
00:06 < anarcat> and i'll probably install a new router in january,
which could cause similar downtime
More information about the ircd
mailing list