Hi,
I've been looking at my log files for a few days, I've found several
atempts
to connect to port 1178. So I wrote a small perl script to scan all my
log
files (/var/log/messages*) for this kind of events.
The log entries it looks for are the ones generated by ipchains when
used
with the -l flag.
This is the output for my log files (sorry for the long lines):
Source | Destination
IP Addr Name Port | IP Addr
Name Port
--------------- ------------------------------ ----- | ---------------
------------------------------ -----
209.1.225.5 ck1.vip.sce.yahoo.com 80 | 200.51.209.143
ADSL209-143.advancedsl.com.ar 1178
207.88.120.11 207.88.120.11 443 | 200.51.232.134
ADSL232-134.advancedsl.com.ar 1178
208.48.218.9 www.egroups.com 80 | 200.51.233.151
ADSL210-151.advancedsl.com.ar 1178
200.51.233.151 ADSL210-151.advancedsl.com.ar 80 | 200.51.233.151
ADSL210-151.advancedsl.com.ar 1178
66.79.10.198 web2.directnic.com 80 | 200.51.233.151
ADSL210-151.advancedsl.com.ar 1178
63.209.152.195 63.209.152.195 80 | 200.51.233.151
ADSL210-151.advancedsl.com.ar 1178
205.158.130.50 205.158.130.50 80 | 200.51.211.127
ADSL211-127.advancedsl.com.ar 1178
64.21.143.17 64.21.143.17 25 | 200.51.210.2
ADSL210-2.advancedsl.com.ar 1178
If anyone is interested in the script, it's available for download
here:
http://www.shadowsun.com.ar/~fvoges/scan_log/scan_log.pl
Please have a look at the 4th line, the conection appears to be from MY
server to MY server (!?).
Obviously, I did check for an intrusion. But haven't found any signs of
it
(can be source address spoofing??).
Bye.
Federico Voges
PGP Public Key Fingerprint: A536 4595 EB6F D197 FBC1 5C3A 145C 2516
_______________________________________________
http://linux.nf -- [EMAIL PROTECTED]
Archives, Subscribe, Unsubscribe, Digest, Etc
->http://linux.nf/mailman/listinfo/linux-users
