[ale] Known vulnerabilities in whois? (called by fail2ban)

Neal Rhodes neal at mnopltd.com
Thu Mar 25 15:43:35 EDT 2010


Something odd today. 

Fedora Core 10 system dog slow.    Yes, I should upgrade.   Is there a
drug you can legally take to help you forget the prior pain of Fedora
upgrades? 

Top shows that whois is taking 80% of cpu.   

whois being called by fail2ban, which is about to cut off access to some
wanker trying random passwords.   It does a whois first to get some
descriptive detail for the logs.  

It was trying to do: 

        17753 ?        R    508:58      |       \_ /usr/bin/whois
        203.171.30.41


You can see it ate a pile of cpu.   I killed it off and all seems to be
ok.     Inquiring minds are curious if those doing external ssh attempts
are getting wise to the notion that fail2ban will spot them and then
close them down, and are now attempting to either:

        A. find/use a vulnerability in whois, or 
        B. just make the whole fail2ban process hang for a while longer
        so they get more chances to guess. 



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20100325/bc6982c8/attachment.html 


More information about the Ale mailing list