[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SV: [cobalt-security] attackalert: Unknown Type
- Subject: SV: [cobalt-security] attackalert: Unknown Type
- From: "Kai Schantz, Euroweb" <kai@xxxxxxxxxx>
- Date: Fri, 22 Jun 2001 10:54:23 +0200
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Thanks, for the help so far..
I got a 3-4 like this, another strange thing in the log that day was alot of
zone transfers to a ip not defined in my network setings! That should not
happen..and what is an host belgium want with .no domain name info??
Jun 20 14:51:15 www named[555]: approved AXFR from [212.68.195.60].2356 for
"cats.no"
Jun 20 14:51:15 www named[555]: zone transfer (AXFR) of "cats.no" (IN) to
[212.68.195.60].2356
Jun 20 14:53:02 www named[555]: approved AXFR from [212.68.195.60].3118 for
"army.no"
Jun 20 14:53:02 www named[555]: zone transfer (AXFR) of "army.no" (IN) to
[212.68.195.60].3118
Jun 20 15:05:37 www named[555]: approved AXFR from [212.68.195.60].4910 for
"teakgarden.no"
Jun 20 15:05:37 www named[555]: zone transfer (AXFR) of "teakgarden.no" (IN)
to [212.68.195.60].4910
Jun 20 15:15:03 www named[555]: approved AXFR from [212.68.195.60].4915 for
"bofo.no"
Jun 20 15:15:03 www named[555]: zone transfer (AXFR) of "bofo.no" (IN) to
[212.68.195.60].4915
Jun 20 15:37:09 www named[555]: approved AXFR from [212.68.195.60].3197 for
"bror.no"
Jun 20 15:37:09 www named[555]: zone transfer (AXFR) of "bror.no" (IN) to
[212.68.195.60].3197
And THIS: (maybe this was after a restart, looks like that in the log)
Jun 20 11:19:25 www kernel: portmap: RPC call returned error 111
Jun 20 11:19:25 www kernel: RPC: task of released request still queued!
Jun 20 11:19:25 www kernel: RPC: (task is on xprt_pending)
Jun 20 11:19:30 www kernel: portmap: RPC call returned error 111
Jun 20 11:19:30 www kernel: RPC: task of released request still queued!
Jun 20 11:19:30 www kernel: RPC: (task is on xprt_pending)
Jun 20 11:19:30 www kernel: lockd_up: makesock failed, error=-111
Jun 20 11:19:35 www kernel: portmap: RPC call returned error 111
Jun 20 11:19:35 www kernel: RPC: task of released request still queued!
Kai
> To my untrained eye, this looks like someone's trying to do a syn
> flood attack on you?
Unlikely I would have said, especially as I would be very surprised if the
original poster has anything running on port 111 to flood.
How many of these entries were in the log in total?
> Or maybe just a SYN scan?
Slightly different, SYN and FIN set is a scan by a particular port scanner
that tends to come with worms, IIRC. ( If this sounds familiar to someone
can they post a URL, as I'm sure I've read that information on an
authoritative site but for the life of me I can't remember which site, let
alone the exact webpage. )
> Portsentry blocked it, though, and is ignoring further attempted
> connections/packets from that IP.
I wouldn't be surprised if the source is a compromised host, might be worth
contacting the administrators of that network.
Why you received multiple connections to the same host is intriguing, unless
this kind of scanner sends a couple of packets, and because portsentry
started blocking them it kept trying to get a response out of the second
packet?
--
Nick Drage - Security Architecture - Demon Internet - Thus PLC
As of Thu 21/06/2001 at 16:00
This computer has been up for 7 days, 22 hours, 56 minutes, 11 seconds.
_______________________________________________
cobalt-security mailing list
cobalt-security@xxxxxxxxxxxxxxx
http://list.cobalt.com/mailman/listinfo/cobalt-security