[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[cobalt-security] Strange events recorded in log - Long

Subject: [cobalt-security] Strange events recorded in log - Long
From: Diana Brake <diana@xxxxxxxxxxxxx>
Date: Thu, 24 May 2001 10:52:01 -0400
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Hi,

I'm hoping someone will have some insight as to these log entries. I'vebeen running Portsentry for many months now (almost a year) it's neverbehaved this way before. I'm wondering what the person was doing that mayhave caused Portsentry to submit nine (9) almost simultaneous attackalerts, then report each attack from the same IP as if it was uniqueinstead of the usual "ignoring" entry it makes for mostpersistent/subsequent attempts from the same IP. I appreciate any thoughts.


the routing table shows only one reject entry of this IP.

portsentry.blocked.tcp & portsentry.history files are pasted here....theyseem to be identical so I pasted just one and only what's current. NOTE:multiple entries for the offender, as if Portsentry didn't realize it hadalready added it once.

******

990585369 - 05/22/2001 22:36:09 Host: 210.178.206.65/210.178.206.65 Port:111 TCP Blocked990634133 - 05/23/2001 12:08:53 Host:wks-166-132-151.kscable.com/24.166.132.151 Port: 111 TCP Blocked990654431 - 05/23/2001 17:47:11 Host: 210.178.236.98/210.178.236.98 Port:111 TCP Blocked990672315 - 05/23/2001 22:45:15 Host: dns1.mcdbr.com/209.102.183.2 Port:111 TCP Blocked990687222 - 05/24/2001 02:53:42 Host:cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 Port: 111 TCP Blocked990687234 - 05/24/2001 02:53:54 Host:cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 Port: 111 TCP Blocked990687246 - 05/24/2001 02:54:06 Host:cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 Port: 111 TCP Blocked990687258 - 05/24/2001 02:54:18 Host:cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 Port: 111 TCP Blocked990687269 - 05/24/2001 02:54:29 Host:cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 Port: 111 TCP Blocked990687280 - 05/24/2001 02:54:40 Host:cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 Port: 111 TCP Blocked990687292 - 05/24/2001 02:54:52 Host:cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 Port: 111 TCP Blocked990687303 - 05/24/2001 02:55:03 Host:cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 Port: 111 TCP Blocked990687315 - 05/24/2001 02:55:15 Host:cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 Port: 111 TCP Blocked990701418 - 05/24/2001 06:50:18 Host: direct2internet.com/213.242.179.2Port: 111 TCP Blocked

logcheck stuff pasted here - NOTE: the multiple instances of "wrapping" andadding to the route table. Never a normal instance of ignoring. I snippedthis stuff alot 'cause it went on and on. There were also attempts toextract the password file and access FTP on several of my machine's IPs


Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=

May 24 02:53:41 gw-crest portsentry[5820]: attackalert: Connect from host:cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 to TCP port: 111May 24 02:53:42 gw-crest portsentry[5820]: attackalert: External commandrun for host: 195.215.212.38 using command:"/usr/local/psionic/portsentry/./portsentry.mailbot 195.215.212.38 111"May 24 02:53:42 gw-crest portsentry[5820]: attackalert: Host 195.215.212.38has been blocked via wrappers with string: "ALL: 195.215.212.38"May 24 02:53:42 gw-crest portsentry[5820]: attackalert: Host 195.215.212.38has been blocked via dropped route using command: "/sbin/route add -host195.215.212.38 reject"May 24 02:53:43 gw-crest portsentry[5820]: attackalert: Connect from host:cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 to TCP port: 111May 24 02:53:54 gw-crest portsentry[5820]: attackalert: External commandrun for host: 195.215.212.38 using command:"/usr/local/psionic/portsentry/./portsentry.mailbot 195.215.212.38 111"May 24 02:53:54 gw-crest portsentry[5820]: attackalert: Host 195.215.212.38has been blocked via wrappers with string: "ALL: 195.215.212.38"May 24 02:53:54 gw-crest portsentry[5820]: attackalert: Host 195.215.212.38has been blocked via dropped route using command: "/sbin/route add -host195.215.212.38 reject"May 24 02:53:54 gw-crest portsentry[5820]: attackalert: Connect from host:cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38

to TCP port: 111

Just to show that Portsentry is working the way I've come to expect for alater attack.

May 24 06:50:17 gw-crest portsentry[5820]: attackalert: Connect from host:direct2internet.com/213.242.179.2 to TCP port: 111May 24 06:50:18 gw-crest portsentry[5820]: attackalert: Possible stealthscan from unknown host to TCP port: 111 (accept failed)May 24 06:50:19 gw-crest portsentry[5820]: attackalert: Connect from host:direct2internet.com/213.242.179.2 to TCP port: 111May 24 06:50:19 gw-crest portsentry[5820]: attackalert: Host: 213.242.179.2is already blocked. Ignoring

PS...I did report strange one above. The offending IP is a machine showingthe default Apache/RedHat installation page and telnet is turned on..:)

Crest Communications, Inc.		diana@xxxxxxxxxxxxx
Beautiful Sunny Florida		http://crestcommunications.com/
352-495-9359, 425-732-9785 fax

Follow-Ups:
- [cobalt-security] flaky DNS
  - From: Barefoot Technologies

Prev by Date: Re: [cobalt-security] ps -aux sendmail and netstat
Next by Date: [cobalt-security] promisc and Cobalt kernel
Previous by thread: Re: [cobalt-security] How to create bogus bannerring for ftp, http and sendmail
Next by thread: [cobalt-security] flaky DNS

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index