[TriLUG] Port 631
Joshua Gitlin
josh at glowfilms.com
Thu Jun 3 18:21:27 EDT 2004
Hmmm... I had a similar problem about four years ago back when I was in
college... I had a machine with two NICs in it, and Mandrake 8.2
installed on it. I got it set up and plugged into the network and had
just enough time to check my email and slashdot before heading off to a
class. Well, I found that I wasn't able to reach slashdot... I then
noticed that I wasn't able to get out on the net at all, nor was anyone
else in my suite. I just assumed that for some reason the campus
network seemed to be down (or just very slow... Which was weird,
because I thought they had a T1 connection...)
Anyway, I head off to class, and as I'm walking around campus and
sleeping through a very boring intro to CS lecture, the network
administrator pays my room a little visit. Not finding me in, he knocks
on my suitemate's door and demands to see me, scaring the you-know-what
out of my suitemate... who is very linux-savvy himself and knows I've
had run-ins with sed network admin before. The network admin tells my
suitemate that I'm "in big trouble" and he needs to speak with me right
away.
I return from class hoping the net will be back up, but to my dismay
find that it is not. The suitemate of mine who mat the network admin
was now gone, but I used his computer to find out if his computer was
able to access the net. It was. Confused, I run an ethernet cable to
his room and plug myself in.
Not two minutes later, the phone rings. It's the network administrator.
Apparently (and don't ask me how or why) CUPS on my system had brought
the entire campus network to it's knees. (Or so I was told). One of my
NICs was sending out broadcast packets as fast as it possibly could,
and the second NIC was answering. Both interfaces had their own IP, and
somehow all this traffic was disturbing the campus network. To solve
the problem, the network administrator had first isolated the network
in my building from the rest of the world, and then cut off access to
the port in my room. Of course now I had plugged in to my roomate's
port and was continuing to broadcast. As the admin was explaining this
to me, I unplugged the cable so fast I almost ripped the jack out of
the wall!
Anyway, after that long winded story, I don't know what caused the
problem. I logged into my box and executed "top", and found the CUPS
was using 99.9% of both my CPUs. I simply removed CUPs and reinstalled
a newer version from an RPM. Haven't had the problem since.
This probably doesn't help, but maybe it was at least interesting :)
-Josh
-----------
Due to the recent increase in spam and falsely sent email, I now PGP
Sign all of my outgoing mail to prove my identity. This means that you
will see an attachment called "PGP.sig" with this message. This
attachment can be used to prove that I am who I say I am. If you are
not familiar with PGP, you can safely ignore it. For more information,
please visit http://www.pgp.com/ or http://www.gnupg.org/
On Jun 3, 2004, at 5:14 PM, Byarlay, Wayne A. wrote:
> Could anybody tell me why a RH9 machine is constantly attempting to
> contact our other RH9 machine with CUPS on it?
>
> yes, the non-CUPS server is hammering away on the CUPS one (or trying
> to, not getting through firewall) through port 631 (which is IPP).
>
> Perhaps some old print job that just can't escape or something?? If so
> where would I look to delete it?
>
>
> -----Original Message-----
> From: trilug-bounces at trilug.org [mailto:trilug-bounces at trilug.org] On
> Behalf Of stan briggs
> Sent: Thursday, June 03, 2004 2:13 PM
> To: trilug at trilug.org
> Subject: RE: [TriLUG] destructive spam?
>
> a technique like described below certainly works. there are many ways
> to
> get to the source to see what characters are there. the problem,
> though,
> is that the cid: entry is followed by a whole bunch of ascii characters
> that evidently mean more than just their random human readable letters.
> they don't look like hex. i don't know what they are.
>
> ideas, anyone?
>
> stan
>
>
>> The technique for discovering where these references point depends on
>> your email client.
>>
>> You need to save the email to a file on hard disk, then view it with a
>
>> text reader. Then just read the html and you can spot the external
>> references.
>>
>> With most 'nixes, you could create a folder, move the questionable
>> email into it (so that it's isolated from the other
>> 5 megabytes in your Inbox folder), and navigate into it following your
>
>> .Mail or .mail or .Mailbox directory off your roothome (~).
>> Then open it in vi or whatever.
>>
>> If you use outlook by day, then create a new email addressed to
>> yourself and use the "insert -> item" feature. Once it's in your
>> inbox, then right click on the attachment, do a "Save As", name it
>> whatever.txt. Examine it with with notepad.
>>
>> Marty
>>
>> -----Original Message-----
>> From: trilug-bounces at trilug.org [mailto:trilug-bounces at trilug.org]On
>> Behalf Of Turnpike Man
>> Sent: Thursday, June 03, 2004 12:29 PM
>> To: Triangle Linux Users Group discussion list
>> Subject: Re: [TriLUG] destructive spam?
>>
>>
>> slightly better... but without clicking these links, is there any way
>> to decipher where they are going to take us?
>>
>> David M.
>>
>> --- sholton at mindspring.com wrote:
>>> You are familiar with URL's that contain a protocol identifier
>>> (http:,
>> ftp:)
>>> followed by a host identifier (trilug.org, ftp.ics.uci.edu) followed
>>> by an object reference (index.html, pub/ietf/uri/rfc2111.txt).
>>>
>>> Think of "cid" and "mid:" as being the URL way to point to an object
>>> contained within the same MIME-encoded message.
>>>
>>> I'd offer an example, but I refuse on principle to create a MIME-
>>> encoded message.
>>>
>>> It tells the HTML-interpreter (which the would-be mark is using to
>>> read his mail...not that any of us would ever do that...) where to
>>> find the object it needs to correctly render the HTML page.
>>>
>>> I presume that if said HTML-interpreter also has a tendency to
>>> execute objects it believes to be executable, such a construct could
>>> be used to cause the execution of code within the local context.
>>>
>>> Any better? I swear it's all English...
>>>
>>> -----Original Message-----
>>> From: Turnpike Man <turnpike420 at yahoo.com>
>>>
>>>> Even after reading, can someone put that in english? thanks!
>>>> David M.
>>>
>>
>>
>>
>>
>> __________________________________
>> Do you Yahoo!?
>> Friends. Fun. Try the all-new Yahoo! Messenger.
>> http://messenger.yahoo.com/
>> --
>> TriLUG mailing list :
>> http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational
>> FAQ
>> : http://trilug.org/faq/
>> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>> TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
>>
>> --
>> TriLUG mailing list :
>> http://www.trilug.org/mailman/listinfo/trilug TriLUG Organizational
>> FAQ
>> : http://trilug.org/faq/
>> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
>> TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
>
>
>
> --
> TriLUG mailing list :
> http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ : http://trilug.org/faq/ TriLUG Member
> Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
>
>
> --
> TriLUG mailing list :
> http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <http://www.trilug.org/pipermail/trilug/attachments/20040603/03ae2042/attachment.pgp>
More information about the TriLUG
mailing list