OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: ingreslock message
From: Dino Amato (slayer67APK.NET)
Date: Tue Mar 07 2000 - 11:42:01 CST

THanks for all who responded to my question.
I check the box and there was no break-in or comprimise, like a few others
said - someone was looking around for a hole.
My ined.conf file has been totally remarked out since day also and nothing
in tmp.
Thakns for telling me about this particular attack.
Dino Amato

On Tue, 7 Mar 2000, Graeme Fowler wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dino
>
> On 06-Mar-2000 Dino Amato wrote:
> > I logged this:
> > Mar 5 15:58:23 monitor tcplogd: ingreslock connection attempt from
> > unknownsleipnir1.cs.ucl.ac.uk
> > what does the ingreslock mean and what was this person trying to do?
>
> Firstly: the ingreslock port was well-used by the shell installed by a
> number of RPC compromises on Solaris (amongst others); as I know only
> too well :(
> I guess the culprit was scanning for previously compromised machines.
>
> Secondly: if you have seen this on other machines, or more frequently
> than the single line above, please report it to:
>
> certcert.ja.net
>
> They'll deal with it as it's source was a UK university.
>
> - --
> Graeme Fowler
> Network Officer, Infrastructure & Networks Group
> Loughborough University Computing Services
> PGP Public Key: http://xenomorph.lboro.ac.uk/
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 5.0i for non-commercial use
> Charset: noconv
>
> iQA/AwUBOMUO4ukW/hjR2nSsEQKFmwCaAl47OPjInQbAs0+5sJa4cYo6k+wAoP2J
> lHFFPw0TToSC2CgekyhYVZNt
> =8JCg
> -----END PGP SIGNATURE-----
>