[svlug] followup on port 4156 ping storm problem
linuxcpa at netscape.net
Sun Sep 22 22:50:07 PDT 2002
My friend...I know someone that knows some Perl...if he is not busy, he
may be able to help you.
>A followup on my recent experiences. First of all, portsentry was
>a solution, once I configured it, my internet was back to normal.
>But I'm not aware of any such virii/worms/etc that go after that
>particular port (4156), and the attack is still ongoing. I now
>have a /etc/hosts.deny file of over 5000 lines. This to me would
>constitute a very widespread attack, and those domains seem to
>be rather random.
>If this continues, I will have a rather large set of addresses
>that are blocked. Whether any of these are legitimate sites is
>something worth looking into. Problem is, there are too many of
>them for me to look closely at.
>Enter the wonderful world of scripting. I'm not an admin, and I've
>written just a tad number of short scripts, and don't yet know
>perl. Still, I figure I can parse the /etc/hosts.deny file, take
>out the IP, and lookup its MX record, or its textual name, if needed -
>and send a short notice to postmaster@ that domain.
>I checkd CERT earlier today, nothing was reported. Another site,
>the Internet storm watch site, didn't mention it, but I sent them
>Any suggestions for further action?
>svlug mailing list
>svlug at lists.svlug.org
More information about the svlug