[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: SV: [cobalt-security] attackalert Unknown Type
- Subject: Re: SV: [cobalt-security] attackalert Unknown Type
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Fri, 25 Jan 2002 22:42:47 +0100
- Organization: Stauber Multimedia Design
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Kai,
> Jan 24 14:16:29 www portsentry[22243]: attackalert: SYN/Normal scan from
> host: 211.184.115.62/211.184.115.62 to TCP port: 111
Port 111 is sunrpc. The "rcp" stands for "remote procedure call". This port
is often used for NFS services. It's a service which has many known security
issues and which is fairly often probed by would be attackers. However, this
could also be a harmless guy trying to mount an NFS share, who mistyped the
IP-address and accidentially typed in yours.
> The file-check reported that came soon after where 33kb when normal its
> about 2kb. Here is a few of the 100`s of records in the rapport almost all
> where very similar.
>
> This is like 5% of log there is hundreds of changes:
>
> -eRaq.net 01/24/02:22.00 FILE CHANGES!
>
> WARNING: [raq.net] /tmp/.casp3000/chili-psm
> [Times: Jan 22 19:08 2002 - Jan 24 07:49 2002]
I guesstimate that ChiliSoft ASP was restarted on your machine. Did you
reboot the server by chance?
> ADDITION: [raq.net] /tmp/CTT0L1C4I
> Inode Permissons Size Created On
> 457019 -rw------- 0 Jan 24 07:49 2002
>
> ADDITION: [raq.net] /tmp/CTT0p5B2D
> Inode Permissons Size Created On
> 456934 -rw------- 0 Jan 24 07:49 2002
Many different applications write temporary data to /tmp, which is usually
not a problem at all. However, as anyone has read and write permissions to
/tmp it's usually a good idea to monitor changes there as well. ChiliSoft for
instance does create some odd files in there, or PHP sesssion information is
also written to /tmp.
However, these filenames here don't ring a bell with me. It could be
legitimate, could be not. Hard to tell, Kai. I'd take a look at the files
with an editor like "vi" or "pico" to see what kind of information they
contain. From that it might be possible to determine which application
created these files, which might be very helpful to know.
Were there other filesystem modifications outside /tmp?
--
With best regards,
Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer