[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-security] Strange events recorded in log - Long
- Subject: [cobalt-security] Strange events recorded in log - Long
- From: Diana Brake <diana@xxxxxxxxxxxxx>
- Date: Thu, 24 May 2001 10:52:01 -0400
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi,
I'm hoping someone will have some insight as to these log entries. I've
been running Portsentry for many months now (almost a year) it's never
behaved this way before. I'm wondering what the person was doing that may
have caused Portsentry to submit nine (9) almost simultaneous attack
alerts, then report each attack from the same IP as if it was unique
instead of the usual "ignoring" entry it makes for most
persistent/subsequent attempts from the same IP. I appreciate any thoughts.
the routing table shows only one reject entry of this IP.
portsentry.blocked.tcp & portsentry.history files are pasted here....they
seem to be identical so I pasted just one and only what's current. NOTE:
multiple entries for the offender, as if Portsentry didn't realize it had
already added it once.
******
990585369 - 05/22/2001 22:36:09 Host: 210.178.206.65/210.178.206.65 Port:
111 TCP Blocked
990634133 - 05/23/2001 12:08:53 Host:
wks-166-132-151.kscable.com/24.166.132.151 Port: 111 TCP Blocked
990654431 - 05/23/2001 17:47:11 Host: 210.178.236.98/210.178.236.98 Port:
111 TCP Blocked
990672315 - 05/23/2001 22:45:15 Host: dns1.mcdbr.com/209.102.183.2 Port:
111 TCP Blocked
990687222 - 05/24/2001 02:53:42 Host:
cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 Port: 111 TCP Blocked
990687234 - 05/24/2001 02:53:54 Host:
cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 Port: 111 TCP Blocked
990687246 - 05/24/2001 02:54:06 Host:
cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 Port: 111 TCP Blocked
990687258 - 05/24/2001 02:54:18 Host:
cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 Port: 111 TCP Blocked
990687269 - 05/24/2001 02:54:29 Host:
cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 Port: 111 TCP Blocked
990687280 - 05/24/2001 02:54:40 Host:
cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 Port: 111 TCP Blocked
990687292 - 05/24/2001 02:54:52 Host:
cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 Port: 111 TCP Blocked
990687303 - 05/24/2001 02:55:03 Host:
cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 Port: 111 TCP Blocked
990687315 - 05/24/2001 02:55:15 Host:
cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 Port: 111 TCP Blocked
990701418 - 05/24/2001 06:50:18 Host: direct2internet.com/213.242.179.2
Port: 111 TCP Blocked
logcheck stuff pasted here - NOTE: the multiple instances of "wrapping" and
adding to the route table. Never a normal instance of ignoring. I snipped
this stuff alot 'cause it went on and on. There were also attempts to
extract the password file and access FTP on several of my machine's IPs
Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
May 24 02:53:41 gw-crest portsentry[5820]: attackalert: Connect from host:
cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 to TCP port: 111
May 24 02:53:42 gw-crest portsentry[5820]: attackalert: External command
run for host: 195.215.212.38 using command:
"/usr/local/psionic/portsentry/./portsentry.mailbot 195.215.212.38 111"
May 24 02:53:42 gw-crest portsentry[5820]: attackalert: Host 195.215.212.38
has been blocked via wrappers with string: "ALL: 195.215.212.38"
May 24 02:53:42 gw-crest portsentry[5820]: attackalert: Host 195.215.212.38
has been blocked via dropped route using command: "/sbin/route add -host
195.215.212.38 reject"
May 24 02:53:43 gw-crest portsentry[5820]: attackalert: Connect from host:
cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 to TCP port: 111
May 24 02:53:54 gw-crest portsentry[5820]: attackalert: External command
run for host: 195.215.212.38 using command:
"/usr/local/psionic/portsentry/./portsentry.mailbot 195.215.212.38 111"
May 24 02:53:54 gw-crest portsentry[5820]: attackalert: Host 195.215.212.38
has been blocked via wrappers with string: "ALL: 195.215.212.38"
May 24 02:53:54 gw-crest portsentry[5820]: attackalert: Host 195.215.212.38
has been blocked via dropped route using command: "/sbin/route add -host
195.215.212.38 reject"
May 24 02:53:54 gw-crest portsentry[5820]: attackalert: Connect from host:
cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38
to TCP port: 111
Just to show that Portsentry is working the way I've come to expect for a
later attack.
May 24 06:50:17 gw-crest portsentry[5820]: attackalert: Connect from host:
direct2internet.com/213.242.179.2 to TCP port: 111
May 24 06:50:18 gw-crest portsentry[5820]: attackalert: Possible stealth
scan from unknown host to TCP port: 111 (accept failed)
May 24 06:50:19 gw-crest portsentry[5820]: attackalert: Connect from host:
direct2internet.com/213.242.179.2 to TCP port: 111
May 24 06:50:19 gw-crest portsentry[5820]: attackalert: Host: 213.242.179.2
is already blocked. Ignoring
PS...I did report strange one above. The offending IP is a machine showing
the default Apache/RedHat installation page and telnet is turned on..:)
Crest Communications, Inc. diana@xxxxxxxxxxxxx
Beautiful Sunny Florida http://crestcommunications.com/
352-495-9359, 425-732-9785 fax