Re: Possible Attack?
In the last episode (Jun 21), Troy G. said: > I was going through a few servers tonight and came across this in > /var/log/messages. This particular server functions mainly as our > primary webserver. Its running FreeBSD 4.8-RELEASE. I decided to > take a closer look to see what was generating these entries by > loading up trafshow. I noticed quite a bit of icmp requests coming > in. I created an access-list on the cisco and filtered icmp to this > host and the messages kept logging. It's obvious I didn't see any > icmp anymore on the server but is this system under a heavy load? I > dont see the load being that high according to top. Any suggestions? > > Jun 21 21:50:55 mx1 /kernel: Limiting closed port RST response from 230 to > 200 packets per second > Jun 21 21:51:23 mx1 /kernel: Limiting closed port RST response from 222 to > 200 packets per second > Jun 21 21:53:02 mx1 /kernel: Limiting closed port RST response from 230 to > 200 packets per second These don't have anything to do with incoming ICMP packets. They are notices that something is trying to access ports that nothing is listening on, and the kernel is rate-limiting the number of "ICMP port unreachable" messages it's sending. You don't want to filter ICMP, since that will break PMTUD ( http://pmtud.rfc822.org ) and annoys people trying to traceroute to your webserver. If you don't currently have any other ACLs at your router, you're most likely seeing the usual background internet traffic (portscans from compromised machines mainly). It's best to block all incoming TCP or UDP traffic except for the ones you want people to see (80/tcp if it's just a webserver). Depending on what version of IOS you're running, you may have the IOS Firewall feature set, which is easy to configure from the web interface. -- Dan Nelson [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Possible Attack?
> Jun 21 21:50:55 mx1 /kernel: Limiting closed port RST response from 230 > to 200 packets per second > Jun 21 21:51:23 mx1 /kernel: Limiting closed port RST response from 222 > to 200 packets per second > Jun 21 21:53:02 mx1 /kernel: Limiting closed port RST response from 230 > to 200 packets per second That is a guy scanning your machine a bit too fast, or a tentative of DoS. If the problem persis, run tcpdump on that machine to try to locate the source. A tentative connection to an unexisting service should return such RST packet, from host amanda I tried to connect TCP 27 on the host sysl, on the host sysl I can see: sysl44: tcpdump host amanda tcpdump: listening on fxp0 10:27:39.891050 amanda.xx.yy.net.1758 > sysl.xx.yy.net.nsw-fe: S 3520569314:3520569314(0) win 57344 (DF) [tos 0x10] 10:27:39.891122 sysl.xx.yy.net.nsw-fe > amanda.xx.yy.net.1758: R 0:0(0) ack 3520569315 win 0 The second packet it the RST Olivier ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Possible Attack?
Hi all, I was going through a few servers tonight and came across this in /var/log/messages. This particular server functions mainly as our primary webserver. Its running FreeBSD 4.8-RELEASE. I decided to take a closer look to see what was generating these entries by loading up trafshow. I noticed quite a bit of icmp requests coming in. I created an access-list on the cisco and filtered icmp to this host and the messages kept logging. It's obvious I didn't see any icmp anymore on the server but is this system under a heavy load? I dont see the load being that high according to top. Any suggestions? Jun 21 21:50:55 mx1 /kernel: Limiting closed port RST response from 230 to 200 packets per second Jun 21 21:51:23 mx1 /kernel: Limiting closed port RST response from 222 to 200 packets per second Jun 21 21:53:02 mx1 /kernel: Limiting closed port RST response from 230 to 200 packets per second TIA, Troy ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Possible attack?
Alex wrote: Dear/Beste Bill, Friday, January 17, 2003, 4:01:43 PM, you wrote: > I've seen the "anonymous FTP denied" off and on. I think that > > some folks just randomly attempt to connect to any FTP server > > they find in the hopes that there's cool stuff there. Or in the hopes that the can place some cool stuff there. Hmmm... Why not open up ones FTP for anonymous access, without any contents on it, then just sit and wait... Then, when there are some cool stuff uploaded, one closes the anonymous access and the uploader who tried to take advantage of you is screwed while you have got all the free (probably illegal though) stuff. :-) Have a nice weekend all! Best regards, Paul To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re[2]: Possible attack?
Dear/Beste Bill, Friday, January 17, 2003, 4:01:43 PM, you wrote: > I've seen the "anonymous FTP denied" off and on. I think that some folks > just randomly attempt to connect to any FTP server they find in the > hopes that there's cool stuff there. Or in the hopes that the can place some cool stuff there. -- Best regards/Met vriendelijke groet, Alex To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Possible attack?
On Friday, 17 January 2003 at 10:01:43 -0500, Bill Moran wrote: > Jim Freeze wrote: > > Hi: > > > > I got an interesting log report today. > > Has anyone seen such messages lately? > > > > Jan 15 12:15:21 rabbit sm-mta[3937]: h0FHFIJI003936: Truncated MIME > > Content-Disposition header due to > > field size (length = 25) (possible attack) > > Jan 15 17:33:04 rabbit ftpd[4435]: ANONYMOUS FTP LOGIN REFUSED FROM > > pD9E60C0F.dip.t-dialin.net > > Jan 15 23:59:48 rabbit sm-mta[5210]: h0G4xkJI005209: Truncated MIME > > Content-Disposition header due to > > field size (length = 22) (possible attack) > > I've seen the "anonymous FTP denied" off and on. I think that some folks > just randomly attempt to connect to any FTP server they find in the > hopes that there's cool stuff there. > The sm-mta Truncaded MIME stuff isn't familiar to me, and it doesn't > actually seem related (compare the times). Could be someone with a > broken mailer? or some sort of bogus MIME header that facilitates > the propagation of some worm? > It's probably a cheesy attempt at an "attack". But it's not blatent > enough to do much more than note it in case something more serious > goes wrong. If you don't have any clients that should be connecting > from Deutsche TeleKom, you can just firewall off that whole subnet. Thanks all for the replies. I accept the fact that I am going to get the FTP login attempts, I just had never seen the "(possible attack)" in my logs. I'm not sure I have anything worth the effort to attempt a break-in. :) -- Jim Freeze -- Anyone who goes to a psychiatrist ought to have his head examined. -- Samuel Goldwyn To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Possible attack?
Jim Freeze wrote: Hi: I got an interesting log report today. Has anyone seen such messages lately? Jan 14 12:59:52 rabbit /kernel: ipfw: limit 100 reached on entry 64000 Jan 14 17:39:13 rabbit ftpd[1502]: ANONYMOUS FTP LOGIN REFUSED FROM p5089A961.dip.t-dialin.net Jan 14 17:39:13 rabbit ftpd[1503]: ANONYMOUS FTP LOGIN REFUSED FROM p5089A961.dip.t-dialin.net Jan 15 12:15:21 rabbit sm-mta[3937]: h0FHFIJI003936: Truncated MIME Content-Disposition header due to field size (length = 25) (possible attack) Jan 15 17:33:03 rabbit ftpd[4434]: ANONYMOUS FTP LOGIN REFUSED FROM pD9E60C0F.dip.t-dialin.net Jan 15 17:33:04 rabbit ftpd[4435]: ANONYMOUS FTP LOGIN REFUSED FROM pD9E60C0F.dip.t-dialin.net Jan 15 23:59:48 rabbit sm-mta[5210]: h0G4xkJI005209: Truncated MIME Content-Disposition header due to field size (length = 22) (possible attack) I've seen the "anonymous FTP denied" off and on. I think that some folks just randomly attempt to connect to any FTP server they find in the hopes that there's cool stuff there. The sm-mta Truncaded MIME stuff isn't familiar to me, and it doesn't actually seem related (compare the times). Could be someone with a broken mailer? or some sort of bogus MIME header that facilitates the propagation of some worm? It's probably a cheesy attempt at an "attack". But it's not blatent enough to do much more than note it in case something more serious goes wrong. If you don't have any clients that should be connecting from Deutsche TeleKom, you can just firewall off that whole subnet. -- Bill Moran Potential Technologies http://www.potentialtech.com To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Possible attack?
Hi. On Fri, 17 Jan 2003 15:42:10 + (GMT) [EMAIL PROTECTED] (P. U. Kruppa) wrote: > > Jan 14 12:59:52 rabbit /kernel: ipfw: limit 100 reached on entry > > 64000 Jan 14 17:39:13 rabbit ftpd[1502]: ANONYMOUS FTP LOGIN REFUSED > > FROM p5089A961.dip.t-dialin.net > > Jan 14 17:39:13 rabbit ftpd[1503]: ANONYMOUS FTP LOGIN REFUSED FROM > > p5089A961.dip.t-dialin.net > > Jan 15 12:15:21 rabbit sm-mta[3937]: h0FHFIJI003936: Truncated MIME > > Content-Disposition header due to > > field size (length = 25) (possible attack) > > Jan 15 17:33:03 rabbit ftpd[4434]: ANONYMOUS FTP LOGIN REFUSED FROM > > pD9E60C0F.dip.t-dialin.net > > Jan 15 17:33:04 rabbit ftpd[4435]: ANONYMOUS FTP LOGIN REFUSED FROM > > pD9E60C0F.dip.t-dialin.net > > Jan 15 23:59:48 rabbit sm-mta[5210]: h0G4xkJI005209: Truncated MIME > > Content-Disposition header due to > > field size (length = 22) (possible attack) Well, it was some guy from the deutsche telekom network. This guy just wanted to use yout FTP (anonymous). Thats all. I dont think it was an attack, or it was a hacker.. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
RE: Possible attack?
Just some body knocking at your front door. What this means is you have ports 20 & 21 open and your were port scanned. You have to add some rules to your firewall. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Jim Freeze Sent: Friday, January 17, 2003 9:35 AM To: FreeBSD Questions Subject: Possible attack? Hi: I got an interesting log report today. Has anyone seen such messages lately? Jan 14 12:59:52 rabbit /kernel: ipfw: limit 100 reached on entry 64000 Jan 14 17:39:13 rabbit ftpd[1502]: ANONYMOUS FTP LOGIN REFUSED FROM p5089A961.dip.t-dialin.net Jan 14 17:39:13 rabbit ftpd[1503]: ANONYMOUS FTP LOGIN REFUSED FROM p5089A961.dip.t-dialin.net Jan 15 12:15:21 rabbit sm-mta[3937]: h0FHFIJI003936: Truncated MIME Content-Disposition header due to field size (length = 25) (possible attack) Jan 15 17:33:03 rabbit ftpd[4434]: ANONYMOUS FTP LOGIN REFUSED FROM pD9E60C0F.dip.t-dialin.net Jan 15 17:33:04 rabbit ftpd[4435]: ANONYMOUS FTP LOGIN REFUSED FROM pD9E60C0F.dip.t-dialin.net Jan 15 23:59:48 rabbit sm-mta[5210]: h0G4xkJI005209: Truncated MIME Content-Disposition header due to field size (length = 22) (possible attack) -- Jim Freeze -- "It's not Camelot, but it's not Cleveland, either." -- Kevin White, mayor of Boston To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Re: Possible attack?
On Fri, 17 Jan 2003, Jim Freeze wrote: > Hi: > > I got an interesting log report today. > Has anyone seen such messages lately? > > Jan 14 12:59:52 rabbit /kernel: ipfw: limit 100 reached on entry 64000 > Jan 14 17:39:13 rabbit ftpd[1502]: ANONYMOUS FTP LOGIN REFUSED FROM > p5089A961.dip.t-dialin.net > Jan 14 17:39:13 rabbit ftpd[1503]: ANONYMOUS FTP LOGIN REFUSED FROM > p5089A961.dip.t-dialin.net > Jan 15 12:15:21 rabbit sm-mta[3937]: h0FHFIJI003936: Truncated MIME > Content-Disposition header due to > field size (length = 25) (possible attack) > Jan 15 17:33:03 rabbit ftpd[4434]: ANONYMOUS FTP LOGIN REFUSED FROM > pD9E60C0F.dip.t-dialin.net > Jan 15 17:33:04 rabbit ftpd[4435]: ANONYMOUS FTP LOGIN REFUSED FROM > pD9E60C0F.dip.t-dialin.net > Jan 15 23:59:48 rabbit sm-mta[5210]: h0G4xkJI005209: Truncated MIME > Content-Disposition header due to > field size (length = 22) (possible attack) Now, I don't know if this is something serious, but I can tell you the "attacker" is a client of the german Telekom. Since you know the exact date and time of these events and Telekom has her own logs, he can be identified, if something serious happens. Uli. > > > > -- > Jim Freeze > -- > "It's not Camelot, but it's not Cleveland, either." > -- Kevin White, mayor of Boston > > To Unsubscribe: send mail to [EMAIL PROTECTED] > with "unsubscribe freebsd-questions" in the body of the message > *---* *Peter Ulrich Kruppa* * - Wuppertal - * * Germany * *---* To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message
Possible attack?
Hi: I got an interesting log report today. Has anyone seen such messages lately? Jan 14 12:59:52 rabbit /kernel: ipfw: limit 100 reached on entry 64000 Jan 14 17:39:13 rabbit ftpd[1502]: ANONYMOUS FTP LOGIN REFUSED FROM p5089A961.dip.t-dialin.net Jan 14 17:39:13 rabbit ftpd[1503]: ANONYMOUS FTP LOGIN REFUSED FROM p5089A961.dip.t-dialin.net Jan 15 12:15:21 rabbit sm-mta[3937]: h0FHFIJI003936: Truncated MIME Content-Disposition header due to field size (length = 25) (possible attack) Jan 15 17:33:03 rabbit ftpd[4434]: ANONYMOUS FTP LOGIN REFUSED FROM pD9E60C0F.dip.t-dialin.net Jan 15 17:33:04 rabbit ftpd[4435]: ANONYMOUS FTP LOGIN REFUSED FROM pD9E60C0F.dip.t-dialin.net Jan 15 23:59:48 rabbit sm-mta[5210]: h0G4xkJI005209: Truncated MIME Content-Disposition header due to field size (length = 22) (possible attack) -- Jim Freeze -- "It's not Camelot, but it's not Cleveland, either." -- Kevin White, mayor of Boston To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-questions" in the body of the message