[plug] new CUPS exploit or an old one?

Mark Dixon MarkDixon at iiNet.net.au
Mon May 16 11:18:20 WST 2005


I think the IP address you saw would most likely be the one used for (at 
least the last leg of) the connection, that is, it probably wasn't 
spoofed, but could have been the address of a hijacked machine that was 
using that IP address.

However, here is another reason for thinking the access attempt might 
NOT have been from Paradox:  If your ISP farms out IP addresses as 
needed, for example by using DHCP, then the IP number could have been a 
different customer to Paradox at the time the CUPS entry was logged. You 
say you got disconnected, then later you saw the exploit and attempted 
to identify who was using the IP address shown in the log.  So, it could 
even have been the IP number allocated to you at the time of the 
"exploit".  Is it possible someone on your home network was attempting 
to print at that time and that the print might have been spooled to your 
CUPS controlled printer queue?

Cheers, Mark.

Daniel J. Axtens wrote:
>>Eftel is my ISP, so am I right in believing that it looks like someone
>>on my ISP network is trying to exploit me?
>>
>>Should I be worried?
>>
>>Should I send a complaint to their abuse at paradox.net.au ?
> 
> 
> Couldn't the IP address be spoofed? (i.e. the address is not the real
> address of the exploiter.)
> 
> This would make it rather pointless to send a complaint to paradox, as
> they wouldn't be responsible.
> 
> Just wondering.
> 
> HTH,
> Daniel Axtens
> 
> On 5/15/05, Gavin Chester <gavinchester1 at hotmail.com> wrote:
> 
>>Is there a new exploit via CUPS that anyone knows about?  I am running
>>CUPS 1.1.22, which is one version behind the latest stable, on a FC3
>>system. I googled and found no news of anything new and I should be okay
>>since this version is newer than the version given after the last cups
>>security advisory in Jan 2005.  Nevertheless, I saw an attempt to use
>>CUPS for the first time as shown in this packet capture in my ethereal
>>logs this morning:
>>
>>--snip--
>>
>>Eftel is my ISP, so am I right in believing that it looks like someone
>>on my ISP network is trying to exploit me?
>>
>>Should I be worried?
>>
>>Should I send a complaint to their abuse at paradox.net.au ?
>>
>>Your experienced hacker opinions welcomed :-)
>>
>>Regards, Gavin.
>>
>>_______________________________________________
>>PLUG discussion list: plug at plug.org.au
>>http://www.plug.org.au/mailman/listinfo/plug
>>Committee e-mail: committee at plug.linux.org.au
>>
> 
> 
> 



More information about the plug mailing list