I think my client may be under attack. The symptoms are strange,
but so is their setup so I'd believe this is just a config trouble.
Here's what happens:
There is typically a in.fingerd call in the log from the core
machine of another ISP. Then, if there is a console open on their
nameserver/webserver/mailserver machine (Linux 2.1.1), we get
a rapid succession of "request to talk" messages with no username
or a gibberish username and the same remote ISP machine; lately, I have
been getting a gibberish name but with the local machine name, but
again, a rapid succession ...
... and then the remote router (in another town) crashes.
On one occasion, I had remote xterms into the machine from my office,
I saw the same in.fingerd messages appear in my log, and all of my
xterm windows one-by-one turned to gibberish and then vanished.
We were ready to believe the router trouble was voltage fluctuations
(its a computone connected to a Compatible 2800i) except this never
occurs during business hours. The config on both the computone and
the 2800i seem fine, although both have been configured with IPs on the
192.168.2.0 network. I am also aware of the "evil ping" attack and
wonder if there is something similar happening here --- the initial
occurance of in.fingerd (if it is related) suggests the method will
only work if the attacker knows that a local tty is in use.
I have checked both machines with ISS and COPS --- Satan won't run
under Linux :( --- and both show no obvious holes. If this is an
intruder, how do I gather more information?
(519) 422-1150 fax:422-2723 ---- RR1/F3 Sauble Beach, Ontario, Canada
TeleDynamics ----------- http://www.geocities.com/SiliconValley/7704/
-------------------The view from the high mountain is worth the climb