[plug] new CUPS exploit or an old one?

Mon May 16 12:26:02 WST 2005

Several replies received in chron. order below: 

On Mon, 2005-05-16 at 11:02 +0800, Daniel J. Axtens wrote:
> Couldn't the IP address be spoofed? (i.e. the address is not the real
> address of the exploiter.)

Yeh, thought of that, but would seem an awful lot of trouble to go to
wouldn't it?  It was almost a "secret" attack anyway that only showed
because I was running ethereal - there was nothing in my security log.
But, yes that's possible - confounded by the other possibilities
mentioned below ...

On Mon, 2005-05-16 at 11:43 +0800, Mark Dixon wrote: 
> Sorry, I should clarify.  After reading the original post in this thread 
> I see that Gavin was saying that Paradox is the same thing as EfTel, 
> Gavin's ISP.  I was working on the presumption that Paradox was another 
> customer of EfTel when I wrote the reply below.
> 
> So, what I suggest now is that you check your logs to see what IP 
> address you were using at the time of the exploit.  If it shows that you 
> were allocated 203.129.128.88 by EfTel at that time then mystery solved, 
> the "exploit" was actually a log of activity within your own machine (or 
> LAN). 

Okay, now here's where I'm getting confused.  You are right, that _was_ the
IP allocated to me at the time, according to ethereal log - I didn't think 
to look at that.  However, AFAIK CUPS would not run from an outside IP for 
local printing and any machine using CUPS locally would only use the local
IP designated to this PC of 192.168.0.254, surely?

On Mon, 2005-05-16 at 11:50 +0800, Russell Steicke wrote: 
> It could also be that someone quite innocently mis-tpyed an address in
> a CUPS configuration on their own network.  If that was the only
> occasion, I'd file it and forget it.
> 
It's just too worrying that someone could accidentally mistype an IP and 
end up sending a print job to my printer where it's setup on a LAN :-O.

Thanks for the input so far guys, but the whole thing raises more questions
than it answers:

1/ Nobody was sat in front of any PC on the LAN at the time and no jobs were
spooled for printing (BTW: I still can't get damn CUPS to work, anyway.  Still
stuck on only printing a test page _sometimes_ and nothing else :-(  ).
2/ OR ... Was it CUPS just doing its thing and checking the status of the printer. and
if so why the outside IP?
3/ OR ... If it was an accidental or deliberate outside probe how can someone determine
my machine name (ie, "local.compaq" rather than the generic "localhost.localdomain")
and then have a chance to access my printer configs?     

Jeez, I really do have to learn a LOT more about locking down my system before
I get that static IP and host my own mail and web services :-O

... and as for actually getting CUPS to work ...

Regards, Gavin.