> -----Original Message-----
> From: Larry Grover [SMTP:[EMAIL PROTECTED]]
> Sent: Thursday, October 05, 2000 1:50 PM
> To: [EMAIL PROTECTED]
> Subject: RE: log entries: innocent or crack attempt?
>
> Thanks for the response. Your analysis confirms my suspicions.
>
> I do have PortSentry installed, and it has flagged other attempts in the
> past, but not this one.
>
> Since this attmept, I've been specifically blocking 203.21.16.18 on the
> firewall, and on the internal server.
>
> I'm also logging all connections and attempted connections, but I haven't
> seen anything suspicious since.
>
> I ran "rpm -Va" on the server, and everthing checked out OK.
>
> Anything else I should do to verify the integrity of my systems?
[Burke, Thomas G.] Install & run tripwire... It'll protect you in
the future.
> Do you think the machine at 203.21.16.18 has been cracked and is being
> used to attempt attacks on others? Should I contact the admin of that
> machine?
[Burke, Thomas G.] yes, and yes...
> __
> Larry Grover, PhD
> Assoc Prof of Physiology
> Marshall Univ Sch of Med
>
>
>
> On Tue, 03 Oct 2000 16:24:00 -0400, "Burke, Thomas G."
> <[EMAIL PROTECTED]> wrote:
> >
> > Looks to me like something similar to the following happened:
> >
> > 1) (L)user on 203.21.16.18 connected (http) to your web server at 15:00
> (so
> > far not too worrisome)
> >
> > 2) L(user) on 203.21.16.18 tries to ssh into your machine - WARNING! He
> has
> > no business doing this, you are being probed!
> >
> > 3) Authentication times out on ssh login - WARNING! He probably tried
> the
> > old openssh exploit (which has been plugged) and failed (or, a script is
> > trying to make connections to see if there is a machine there). YOU ARE
> > UNDER ATTACK!
> >
> > 4) (L)user has several http session open to your machine... He may not
> > realize that he is being forwarded to another machine, or perhaps he
> thinks
> > something funny is going on & is trying to figure it out...
> >
> > 5) at 15:12:25, (l)user tries to ftp into your machine... Connection
> times
> > out... He may (or may not) have tried the wu-ftpd overflow exploit
> (fixed
> > with the most recent update)... I imagine he is trying to figure out
> what
> > is going on with your network, etc...
> >
> > Do you have PortSentry installed?
> >
> > I don't think he got into your machine, but I'd definately say you're
> > getting probed (at the least)
> >
> >
> >
> >> -----Original Message-----
> >> From: Larry Grover [SMTP:[EMAIL PROTECTED]]
> >> Sent: Tuesday, October 03, 2000 11:58 AM
> >> To: [EMAIL PROTECTED]
> >> Subject: log entries: innocent or crack attempt?
> >>
> >> This morning I found several entries in my logs which look suspicious
> to
> >> me. Can anyone enlighten me?
> >>
> >> Background. I have three machine networked machines:
> >>
> >> (1) The first acts as a firewall, does ip-masqing for machines (2) and
> (3)
> >> and port forwarding (ports 21, 80) for machine (2).
> >>
> >> (2) The second runs apache and wu-ftp, and handles connections made
> though
> >> the firewall on ports 21 and 80.
> >>
> >> (3) The third runs win95.
> >>
> >> Machines (1) and (2) run RH6.2, and have all package updates installed.
> >> OpenSSH also runs on both (1) and (2)
> >>
> >> Here are the log entries that look funny to me:
> >>
> >> (1) On the Firewall machine (a.b.c.d):
> >>
> >> Oct 3 00:48:12 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
> >> 203.21.16.18:80 a.b.c.d:80 L=40 S=0x00 I=39426 F=0x0000 T=23 (#32)
> >> Oct 3 00:48:13 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
> >> 203.21.16.18:2217 a.b.c.d:80 L=60 S=0x00 I=978 F=0x4000 T=45 SYN (#32)
> >> Oct 3 00:48:14 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
> >> 203.21.16.18:2217 a.b.c.d:80 L=52 S=0x00 I=993 F=0x4000 T=45 (#32)
> >> Oct 3 00:48:14 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
> >> 203.21.16.18:2217 a.b.c.d:80 L=52 S=0x00 I=994 F=0x4000 T=45 (#32)
> >> Oct 3 00:48:14 a.b.c.d sshd[10731]: Connection from 203.21.16.18 port
> >> 2225
> >> Oct 3 00:48:14 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
> >> 203.21.16.18:2217 a.b.c.d:80 L=52 S=0x00 I=1004 F=0x4000 T=45 (#32)
> >> Oct 3 00:58:14 a.b.c.d sshd[10731]: fatal: Timeout before
> authentication
> >> for 203.21.16.18.
> >> Oct 3 01:01:25 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
> >> 203.21.16.18:1 a.b.c.d:80 L=40 S=0x00 I=39426 F=0x0000 T=23 (#32)
> >> Oct 3 01:01:25 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
> >> 203.21.16.18:2 a.b.c.d:80 L=40 S=0x00 I=39426 F=0x0000 T=23 (#32)
> >> Oct 3 01:01:25 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
> >> 203.21.16.18:3 a.b.c.d:80 L=40 S=0x00 I=39426 F=0x0000 T=23 (#32)
> >> Oct 3 01:01:25 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
> >> 203.21.16.18:4 a.b.c.d:80 L=40 S=0x00 I=39426 F=0x0000 T=23 SYN (#32)
> >> Oct 3 01:01:25 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
> >> 203.21.16.18:5 a.b.c.d:80 L=40 S=0x00 I=39426 F=0x0000 T=23 (#32)
> >> Oct 3 01:01:25 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
> >> 203.21.16.18:4 a.b.c.d:80 L=40 S=0x00 I=16004 F=0x0000 T=236 (#32)
> >>
> >> (2) On the FTP/HTTP server (shoeless):
> >>
> >> Oct 2 15:12:25 shoeless in.ftpd[9647]: connect from 203.21.16.18
> >> Oct 2 15:25:33 shoeless ftpd[9647]: lost connection to
> >> mail.travelmate.com.au [203.21.16.18]
> >> Oct 2 15:25:33 shoeless ftpd[9647]: FTP session closed
> >> Oct 2 15:25:34 shoeless inetd[420]: pid 9647: exit status 255
> >>
> >> Note: the clock on shoeless is broken, and gives incorrect time.
> >>
> >>
> >> The machine attempting to connect (203.21.16.18) resolves to
> >> mail.travelmate.com.au -- a mail server?? So why would a mail server
> be
> >> attempting to connect to my machine? Why are the connection attempts
> >> coming from low ports (1-5)? Why attempt a ssh connection?
> >>
> >> I'd really appreciate your comments and suggestions.
>
>
>
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
