[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] PortSentry/Active System Attacks
- Subject: Re: [cobalt-security] PortSentry/Active System Attacks
- From: "Lawrence Frewin of Accommodation.com" <Lawrence@xxxxxxxxxxxxxxxxx>
- Date: Mon, 14 May 2001 21:26:03 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
An unusual report from Portsentry this evening:
May 14 21:00:34 raq portsentry[572]: attackalert: SYN/Normal scan from host:
boron.eu.sun.com/1$
May 14 21:00:34 raq portsentry[572]: attackalert: Host 192.18.1.5 has been
blocked via wrappers$
May 14 21:00:34 raq portsentry[572]: attackalert: Host 192.18.1.5 has been
blocked via dropped $
May 14 21:00:35 raq kernel: Packet log: input DENY eth0 PROTO=6
192.18.1.5:63474 x.x.x.x:$
May 14 21:00:36 raq kernel: Packet log: input DENY eth0 PROTO=6
192.18.1.5:63478 x.x.x.x:$
May 14 21:00:38 raq kernel: Packet log: input DENY eth0 PROTO=6
192.18.1.5:63474 x.x.x.x:$
May 14 21:00:39 raq kernel: Packet log: input DENY eth0 PROTO=6
192.18.1.5:63478 x.x.x.x:$
May 14 21:00:45 raq kernel: Packet log: input DENY eth0 PROTO=6
192.18.1.5:63474 x.x.x.x:$
May 14 21:00:45 raq kernel: Packet log: input DENY eth0 PROTO=6
192.18.1.5:63478 x.x.x.x:$
May 14 21:00:50 raq 4 kernel: Packet log: input DENY eth0 PROTO=6
192.18.1.5:63595 x.x.x.x:$
and so on....
Is there a valid reason why we would be seeing this activity from Sun
Microsystems?
Lawrence
----- Original Message -----
From: "Bill Irwin" <bill_irwin@xxxxxxxx>
To: <cobalt-security@xxxxxxxxxxxxxxx>
Sent: Monday, May 14, 2001 2:30 PM
Subject: Re: [cobalt-security] PortSentry/Active System Attacks
> Chris Burton wrote:
> >
> > Hi,
> > If it was one of your customers then a reinstall do anything to help,
try
> > and find out if it was a customer that did it. If you dont have
customers
> > (or other users) then look at the state of the RAQ has it been
compromised
> > or not ?
> >
> > ChrisB.
> >
>
> Actually a better idea is to find out who did the scan. If you really
> want to be the strict admin, run a locate for various scripts that users
> may use in linux to run port scans. A good way to find out what those
> scripts may be is to visit www.antionline.com or www.securityfocus.com
> and make a list of the commonly used scripts for port scanning. Run
> "locate <scriptname>" and see if it lists anything. If you get a hit,
> make a note of the users acct. You can then go into their .bash_history
> file and find out if they did run commands for port scans.
> then:
>
> 1) warn them they are in violation of Terms Of Service (you did make a
> TOS for your customers didn't you?).
> 2) if they don't listen or initiate another scan with a 24 to 72 hour
> period, dump them as they are a big liability to your company and not
> worth the potential trouble no matter how much they may be paying.
> 3) review whether your customers need access to telnet or ssh, if no,
> then cut off all access.
>
> This may seem like a heavy handed approach by some people. However, when
> you look at the liability implications and possible trouble that may be
> caused by this person, it doesn't seem all that bad.
>
> <This opinions are strictly my own and do not constitute the opinions or
> positions of my employer>
>
> --
> Bill Irwin
> Technical Support Engineer
> Sun Microsystems, Inc.
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security