[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] hacked again!

The log bits you are quoting dont seem suspicious to me. For example:

For example, AXFR's are sent and aproved when the server is rebooted and master zones are loaded then aswell.
The telnetd error looks like RaQ's monitor testing to see if its alive and the proftpd error aswell.
Lame server error can be quite generic these days, I found I was getting a long list of lame servers everytime I ran webalizer, because the data in the logs was old are was no longer resolving properly.

logcheck is nice, but you need to customize the rules a bit for the RAQ or you'll get a shock when you run it.

Regards

David

On 04 May 2001 23:15 CEST you wrote:

> I paste som spread parts of the logs at the end of the mail  hopeing that it
> can help some of you that is not a newbie like me, to be better of in the
> protection of their serveres.
> 
> Signoff
> 
> Kai R Sch...
> 
> 
> LOGS:
> 
> R=9 RLame=12 ROpts=0 SSysQ=489 SAns=1958 SFwdQ=283 SDupQ=56 SErr=0 RQ=2129
> RIQ=0 RFwdQ=283 RDupQ=2 RTCP=116 SFwdR=312 S
> Fail=0 SFErr=0 SNaAns=751 SNXD=43 RUQ=0 RURQ=0 RUXFR=1 RUUpd=0
> May  1 01:09:23 www named[722]: approved AXFR from [204.71.145.78].3961 for
> "mercator.no"
> May  1 01:09:23 www named[722]: zone transfer (AXFR) of "mercator.no" (IN)
> to [204.71.145.78].3961
> May  1 01:09:52 www named[722]: approved AXFR from [204.71.145.78].4043 for
> "algen.no"
> May  1 01:09:52 www named[722]: zone transfer (AXFR) of "algen.no" (IN) to
> [204.71.145.78].4043
> May  1 01:15:01 www proftpd[19690]: www.euroraq.net (localhost[127.0.0.1]) -
> FTP session closed.
> May  1 01:15:04 www telnetd[19694]: ttloop: read: Connection reset by peer
> May  1 01:15:04 www inetd[688]: pid 19694: exit status 1
> May  1 01:30:02 www proftpd[20295]: www.euroraq.net (localhost[127.0.0.1]) -
> FTP session closed.
> May  1 01:30:05 www telnetd[20299]: ttloop: read: Connection reset by peer
> May  1 01:30:05 www inetd[688]: pid 20299: exit status 1
> May  1 01:44:13 www named[722]: approved AXFR from [212.67.192.185].1457 for
> "sgn.no"
> May  1 01:44:13 www named[722]: zone transfer (AXFR) of "sgn.no" (IN) to
> [212.67.192.185].1457
> ------------------------------------------- cut
> 
> May  1 01:09:23 www named[722]: approved AXFR from [204.71.145.78].3961 for
> "mercator.no"
> May  1 01:09:23 www named[722]: zone transfer (AXFR) of "mercator.no" (IN)
> to [204.71.145.78].3961
> May  1 01:09:52 www named[722]: approved AXFR from [204.71.145.78].4043 for
> "algen.no"
> May  1 01:09:52 www named[722]: zone transfer (AXFR) of "algen.no" (IN) to
> [204.71.145.78].4043
> May  1 01:15:01 www proftpd[19690]: www.euroraq.net (localhost[127.0.0.1]) -
> FTP session closed.
> May  1 01:15:04 www telnetd[19694]: ttloop: read: Connection reset by peer
> May  1 01:15:04 www inetd[688]: pid 19694: exit status 1
> ----------------------------------------------cut
> 
> Apr 30 18:13:08 www named[721]: master zone "hodet.no" (IN) loaded (serial
> 2001041717)
> Apr 30 18:13:08 www named[721]: master zone "nocturnal.no" (IN) loaded
> (serial 2001040221)
> Apr 30 18:13:08 www named[721]: master zone "manuellmedisin.no" (IN) loaded
> (serial 2001031516)
> Apr 30 18:13:08 www named[721]: master zone "ryggskole.no" (IN) loaded
> (serial 2001031516)
> Apr 30 18:13:08 www named[721]: master zone "astonnaviteam.no" (IN) loaded
> (serial 2001030305)
> Apr 30 18:13:08 www named[721]: master zone "vikedalselva.no" (IN) loaded
> (serial 2001030502)
> --------------------------------------------------cut
> 
> Apr 30 03:30:05 www inetd[24472]: pid 24400: exit status 1
> Apr 30 03:45:02 www proftpd[24985]: www.euroraq.net (localhost[127.0.0.1]) -
> FTP session closed.
> Apr 30 03:45:05 www telnetd[24989]: ttloop: read: Connection reset by peer
> Apr 30 03:45:05 www inetd[24472]: pid 24989: exit status 1
> Apr 30 03:46:30 www named[738]: Cleaned cache of 22 RRsets
> Apr 30 03:46:30 www named[738]: USAGE 988595190 985674424
> CPU=211.87u/139.74s CHILDCPU=1.34u/8.46s
> Apr 30 03:46:30 www named[738]: NSTATS 988595190 985674424 A=35148 NS=185
> SOA=76460 PTR=190994 MX=3849 TXT=85 AAAA=34 S
> RV=43 AXFR=383 ANY=15235
> Apr 30 03:46:30 www named[738]: XSTATS 988595190 985674424 RR=291768
> RNXD=25358 RFwdR=153844 RDupR=257 RFail=667 RFErr=
> 0 RErr=144 RAXFR=383 RLame=13933 ROpts=0 SSysQ=104394 SAns=286419
> SFwdQ=143518 SDupQ=43759 SErr=0 RQ=325442 RIQ=188 RFw
> dQ=143518 RDupQ=2452 RTCP=8823 SFwdR=153844 SFail=41 SFErr=0 SNaAns=89368
> SNXD=46475 RUQ=0 RURQ=0 RUXFR
> -------------------- There where 100   of simmilar records as the one below
> in very short time period------------
> 
> Apr 26 04:17:58 www named[738]: Lame server on 'bgl1dns-a.dts.in' (in
> 'dts.in'?): [61.0.0.9].53 'ndl1nms-a.dts.in'
> 
> -------------------- cut