[plug] new CUPS exploit or an old one?

Mark Dixon MarkDixon at iiNet.net.au
Mon May 16 11:43:12 WST 2005 

Sorry, I should clarify.  After reading the original post in this thread 
I see that Gavin was saying that Paradox is the same thing as EfTel, 
Gavin's ISP.  I was working on the presumption that Paradox was another 
customer of EfTel when I wrote the reply below.

So, what I suggest now is that you check your logs to see what IP 
address you were using at the time of the exploit.  If it shows that you 
were allocated 203.129.128.88 by EfTel at that time then mystery solved, 
the "exploit" was actually a log of activity within your own machine (or 
LAN).  If you were on a different IP number at that time, then 
contacting EfTel with a report of the access would do no harm and might 
result in a warning being issued to another EfTel customer that was 
"poking around" a bit to agressively.

Mark Dixon wrote:
> I think the IP address you saw would most likely be the one used for (at 
> least the last leg of) the connection, that is, it probably wasn't 
> spoofed, but could have been the address of a hijacked machine that was 
> using that IP address.
> 
> However, here is another reason for thinking the access attempt might 
> NOT have been from Paradox:  If your ISP farms out IP addresses as 
> needed, for example by using DHCP, then the IP number could have been a 
> different customer to Paradox at the time the CUPS entry was logged. You 
> say you got disconnected, then later you saw the exploit and attempted 
> to identify who was using the IP address shown in the log.  So, it could 
> even have been the IP number allocated to you at the time of the 
> "exploit".  Is it possible someone on your home network was attempting 
> to print at that time and that the print might have been spooled to your 
> CUPS controlled printer queue?
> 
> Cheers, Mark.
> 
> Daniel J. Axtens wrote:
> 
>>> Eftel is my ISP, so am I right in believing that it looks like someone
>>> on my ISP network is trying to exploit me?
>>>
>>> Should I be worried?
>>>
>>> Should I send a complaint to their abuse at paradox.net.au ?
>>
>>
>>
>> Couldn't the IP address be spoofed? (i.e. the address is not the real
>> address of the exploiter.)
>>
>> This would make it rather pointless to send a complaint to paradox, as
>> they wouldn't be responsible.
>>
>> Just wondering.
>>
>> HTH,
>> Daniel Axtens
>>
>> On 5/15/05, Gavin Chester <gavinchester1 at hotmail.com> wrote:
>>
>>> Is there a new exploit via CUPS that anyone knows about?  I am running
>>> CUPS 1.1.22, which is one version behind the latest stable, on a FC3
>>> system. I googled and found no news of anything new and I should be okay
>>> since this version is newer than the version given after the last cups
>>> security advisory in Jan 2005.  Nevertheless, I saw an attempt to use
>>> CUPS for the first time as shown in this packet capture in my ethereal
>>> logs this morning:
>>>
>>> --snip--
>>>
>>> Eftel is my ISP, so am I right in believing that it looks like someone
>>> on my ISP network is trying to exploit me?
>>>
>>> Should I be worried?
>>>
>>> Should I send a complaint to their abuse at paradox.net.au ?
>>>
>>> Your experienced hacker opinions welcomed :-)
>>>
>>> Regards, Gavin.
>>>
>>> _______________________________________________
>>> PLUG discussion list: plug at plug.org.au
>>> http://www.plug.org.au/mailman/listinfo/plug
>>> Committee e-mail: committee at plug.linux.org.au
>>>
>>
>>
>>
> _______________________________________________
> PLUG discussion list: plug at plug.org.au
> http://www.plug.org.au/mailman/listinfo/plug
> Committee e-mail: committee at plug.linux.org.au
> 
>

More information about the plug mailing list