On Sun, Jun 24, 2001 at 07:43:21PM -0500, Craig Woods wrote:
> Chris Spackman wrote:
> >
> > Hi,
> >
> > every day i get something like this in my logs (and right on the terminal as
> > well). I think it is someone trying to connect, but then shouldn't
> > portsentry catch it and block it?
[snip]
>
> Chris,
> To be concerned about a possible system intrusion is ALWAYS wise. And,
> if you happen to have a broadband connection, you can never be too
> cautious. What log is this message showing up in? Have you looked at
> auth.log, syslog, and secure files. Using the IP addr in your message,
> SRC=193.204.135.164, nslookup gives the machine name as
> "intrigila.dm.univaq.it". Do you know it, have you been to some site
> similar in name? Can you check for open ports, doing a port scan from an
> outside machine? Try doing a tcpdump. Can you check for any bot activity
> on your box. A Sub7Server Trojan zombie/bot usually needs port 6667 to
> be established. Try a "netstat -an | grep 6667" If you have it open, get
> offline immediately, and close it down. Firewalls can be anywhere from
> real good to real bad. You should run an IDS in conjunction with your
> firewalls, such as snort.
>
> If you need or want more info, just let me know. I would be happy to
> help you with a good IDS installation.
>
> Craig Woods
>
> PS Chris, please post this msg to the Mandrake expert list, and you can
> take it offline, if you need some help from me.
(I hope this is what you meant by post it to the list)
Thanks a lot for the info. netstat does not show anything on port 6667.
The messages are logged to /var/log/messages and are also written to the
terminal.
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:50795 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:631 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN
tcp 0 0 (my ip address):50799 210.130.xxx.xxx:110
TIME_WAIT
udp 0 0 (my ip address):33059 205.188.xxx.xxx:4000
ESTABLISHED
udp 0 0 0.0.0.0:631 0.0.0.0:*
raw 0 0 0.0.0.0:6 0.0.0.0:* 7
raw 0 0 0.0.0.0:17 0.0.0.0:* 7
The only stuff above that i don't know about are ports 50795 and 17. The
two outgoing should be icq and the mail daemon, right?
(the rest of netstat showed nothing suspicious - ie nothing around 6667)
nmap -sS shows only this:
Port State Service
25/tcp open smtp
631/tcp open unknown
6000/tcp open X11
and nmap -sU shows everything closed:
The UDP or stealth FIN/NULL/XMAS scan took 3 seconds to scan 1448 ports.
All 1448 scanned ports on localhost.localdomain (127.0.0.1) are: closed
Nmap run completed -- 1 IP address (1 host up) scanned in 3 seconds
But both of those are done from this machine. If they replaced the nmap
binary, they also fooled the daily security check, as well as the rpm
database (which reports no change in files for package nmap).
Anyhow, is it possible that the auditin message is a kernel warning
activated by iptables (is that the packet filtering name now?) and these
are just random scans? But then why wouldn't portsentry catch them?
Aside from trojans, is there anyway i could be cracked when i am not running
any services? The sendmail-type program is one possibility, but other than
that, how would someone crack a box that is not accepting connections?
(aside from malicious local users).
thanks for you time.
--
Chris and Yoshiko Spackman
www.openhistory.org
[EMAIL PROTECTED] (English)
[EMAIL PROTECTED] (Japanese)
PGP signature
