Complete.Org: Mailing Lists: Archives: linux-help: August 2004:
[linux-help] Re: Port 18593 attacks
Home

[linux-help] Re: Port 18593 attacks

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: linux-help@xxxxxxxxx
Subject: [linux-help] Re: Port 18593 attacks
From: Jeff Vian <jvian10@xxxxxxxxxxx>
Date: Tue, 03 Aug 2004 14:34:47 -0500
Reply-to: linux-help@xxxxxxxxx

On Tue, 2004-08-03 at 14:16, Jonathan Hall wrote:
> Generally your client keeps track of its last-used IP address, and requests
> that again from the DHCP server.  Unless some other machine has already
> received that IP address, the DHCP server will gladly give it to you again,
> even if the previous lease has expired.
> 

Right, see below.

> 
> ----- Original Message -----
> From: "bbales" <bbales@xxxxxxx>
> To: <linux-help@xxxxxxxxx>
> Sent: Tuesday, August 03, 2004 12:57 PM
> Subject: [linux-help] Re: Port 18593 attacks
> 
> 
> > On Monday 02 August 2004 17:58, you wrote:
> > > Powering it off will release the IP;  But ONLY when the lease expires
> > > and it does not get renewed.  Bruce said that, and I have experienced
> > > it.
> > >
> > > Usually a lease gets renewed some (specified) time before it expires, so
> > > the modem will need to be powered off for at least the lease period in
> > > order to force the issuance of a new IP.
> > >
> > > On Fedora Core 2, pump has been removed and dhcp client is serviced by
> > > dhclient. Old lease info is kept in the dhclient.leases file.  Removing
> > > or emptying that file may force assignment of a new lease without
> > > waiting for the lease to expire.  I am unable to test because I do not
> > > use dhcp, but info dhclient has lots of information (including how to
> > > explicitly release a lease).
> > >

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^


Bruce:

This is a clue, but pump used a different file.  Man pump to find out
where if the router/firewall uses pump.

You can check and see where the Frazierwall is keeping that
information.  Grep will help as long as you know the current IP address.
Or better yet man will tell you if you know which client is running for
dhcp.


> > > Also look at dhclient.conf file.
> >
> > The 12 hour power off didn't work.  Cox told me the lease was up at 5:50
> so I
> > pulled the plug from 5:00 PM until 10:30 this morning.  Same IP address.
> For
> > two minutes I got hits on other ports - then the hits were all (or 96%) to
> > 18593.  Got 514 in 90 minutes.
> >
> > The owner of the lease is a Frazierwall box with a very limited Linux
> system,
> > so I doubt if it has dhclient.  I'm still investigating.
> >
> > John and Adam suggest releasing the lease and dropping another ethernet
> board
> > in.  I could do that if I knew how to release the lease.  The box has
> dhcpcd,
> > but no man page.
> >
> > As far as I can tell, this isn't hurting anything.  If Frazierwall didn't
> send
> > in a list of blocked connections I wouldn't have known it was happening.
> But
> > I'd still like to get it stopped.
> > bruce
> >
> > -- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> > visit http://www.complete.org/cgi-bin/listargate-aclug.cgi
> >
> >
> 
> -- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
> visit http://www.complete.org/cgi-bin/listargate-aclug.cgi

-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
visit http://www.complete.org/cgi-bin/listargate-aclug.cgi


[Prev in Thread] Current Thread [Next in Thread]