(RADIATOR) RV: HACKER ATTACK?
Hugh Irvine
hugh at open.com.au
Mon Nov 12 17:12:34 CST 2001
Hello Gabriela -
I am not certain that what you show below is due to a hacker - you often see
things like this with modems that do not train properly when receiving a call.
In any case, with Radiator 2.19 you can use the new "UsernameCharset"
parameter to limit what characters you will accept in the User-Name string.
Have a look at section 6.4.30 in the Radiator reference manual
("doc/ref.html"). Note that you can use this either globally or on a
per-Handler basis.
regards
Hugh
> >
> > The last Saturday our Radius server received an attack. I´m sending you
> > the information I can found on my server in order to help all Radius
> > Server from unspected attacks.
> >
> > Sat Nov 10 22:59:54 2001: DEBUG: Packet dump:
> > *** Received from 200.16.169.56 port 1645 ....
> > Code: Access-Request
> > Identifier: 150
> > Authentic: Ei`!:iLLLL(:r(LC
> > Attributes:
> > User-Name = "'S R%H%G1\|g+%s8rEs3)o}p/G}/J?~o]F 4%7.+CBsg,'?j/?u"
> > User-Password =
> > ")<162><225><251><177>o<25>9\<177>o<6>:[J<5>va<146><145>U<173>F<8><198>4<
> >1 60><249>D<179><198><239>"
> > NAS-IP-Address = 200.16.169.56
> > NAS-Port = 56
> > Called-Station-Id = "6200"
> > Calling-Station-Id = "1145674048"
> > USR-Connect-Speed = 24000_BPS
> > USR-Modulation-Type = v32Terbo
> > USR-Simplified-MNP-Levels = 0
> > USR-Simplified-V42bis-Usage = 0
> > USR-Chassis-Call-Slot = 7
> > USR-Chassis-Call-Span = 0
> > USR-Chassis-Call-Channel = 27
> > NAS-Identifier = "access2"
> > Acct-Session-Id = "071b05f8"
> > NAS-Port-Type = Async
> >
> > Sat Nov 10 22:59:54 2001: DEBUG: Handling request with Handler
> > 'Realm=DEFAULT'
> > Sat Nov 10 22:59:54 2001: DEBUG: SessionDbSQL Deleting session for 'S
> > R%H%G1\|g+%s8rEs3)o}p/G}/J?~o]F 4%7.+CBsg,'?j/?u, 200.16.169.56, 56
> > Sat Nov 10 22:59:54 2001: DEBUG: do query is: delete from RADONLINE where
> > NASIDENTIFIER='200.16.169.56' and NASPORT=056
> >
> > Sat Nov 10 22:59:54 2001: DEBUG: Query is: select NASIDENTIFIER, NASPORT,
> > ACCTSESSIONID from RADONLINE where USERNAME=''S R%H%G1\|g+%s8rEs3)o}
> > p/G}/J?~o]F 4%7.+CBsg,'?j/?u'
> >
> > Sat Nov 10 22:59:54 2001: ERR: Execute failed for 'select NASIDENTIFIER,
> > NASPORT, ACCTSESSIONID from RADONLINE where USERNAME=''S R%H%G1\|g+%s
> > 8rEs3)o}p/G}/J?~o]F 4%7.+CBsg,'?j/?u'': ERROR: parser: parse error at or
> > near "s"
> >
> > Sat Nov 10 22:59:55 2001: ERR: Execute failed for 'select NASIDENTIFIER,
> > NASPORT, ACCTSESSIONID from RADONLINE where USERNAME=''S R%H%G1\|g+%s
> > 8rEs3)o}p/G}/J?~o]F 4%7.+CBsg,'?j/?u'': ERROR: parser: parse error at or
> > near "s"
> >
> > Sat Nov 10 22:59:55 2001: DEBUG: Handling with Radius::AuthSQL
> > Sat Nov 10 22:59:55 2001: DEBUG: Handling with Radius::AuthSQL
> >
> > Lic. Gabriela Barsotti
> > Technology Manager
> > EasyMail S.A.
> > A VirtualCom Company
> > 54-11-54590-8820
>
> -------------------------------------------------------
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list