[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SV: [cobalt-security] attackalert Unknown Type

Subject: Re: SV: [cobalt-security] attackalert Unknown Type
From: "E.B. Dreger" <eddy+public+spam@xxxxxxxxxxxxxxxxx>
Date: Fri, 25 Jan 2002 14:25:51 +0000 (GMT)
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

> Date: Fri, 25 Jan 2002 13:34:15 +0100
> From: "Kai r. s., euroweb as" <kai@xxxxxxxxxx>

> Its not that isolated incident,same server have got many scans today,

If you're getting more probes from the same netblock, then it
sounds as if someone is up to no good.

Port 111/TCP and 111/UDP is used by the RPC portmapper... a
favorite port for crackers to probe.  If someoe's scanning you on
that, I highly question their motives -- valid packets or not.

> (here is some of them)

[ snip ]

> The file-check reported that came soon after where 33kb when normal its
> about 2kb. Here is a few of the 100`s of records in the rapport almost all
> where very similar.
> 
> This is like 5% of log there is hundreds of changes:

[ snip ]

> This was in the file-change repport 22:01 tonight. there is  allso one
> running at 10:01 and if you see the time stamp on these files there is
> something not right. If that was correct they should have been reported in

Not sure why it didn't catch it in the first scan.  If the 10:01
scan is indeed running, it does seem odd that files over two
hours old weren't noted...

> the file-change report at 10:01. And most of all what are this? could they

Try opening a file of non-zero size in your favorite text editor.

> be related to the strange scan..? And if so maybe all raq4 has this

Indirectly.  There must be a running process to create a file.
It's possible that Portsentry created a temp file.  Assuming no
funny business, a couple of those files appear to have been
created by Chili!ASP.

> exploit..

If you wish to check for an exploit, run md5 hashes on several
system binaries and compare with what you know to be correct.
It's not 100% (one can do many things with a trojan kernel), but
it is a very good way to give your system a quick check.

> Thanks for all the help..


Eddy

Brotsman & Dreger, Inc. - EverQuick Internet Division
Phone: +1 (316) 794-8922 Wichita/(Inter)national
Phone: +1 (785) 865-5885 Lawrence
--

Date: Mon, 21 May 2001 11:23:58 +0000 (GMT)
From: A Trap <blacklist@xxxxxxxxx>
To: blacklist@xxxxxxxxx
Subject: Please ignore this portion of my mail signature.

These last few lines are a trap for address-harvesting spambots.  Do NOT
send mail to <blacklist@xxxxxxxxx>, or you are likely to be blocked.

References:
- SV: [cobalt-security] attackalert Unknown Type
  - From: Kai r. s., euroweb as

Prev by Date: SV: [cobalt-security] attackalert Unknown Type
Next by Date: [cobalt-security] [RaQ3]Formmail widely server security
Previous by thread: SV: [cobalt-security] attackalert Unknown Type
Next by thread: Re: SV: [cobalt-security] attackalert Unknown Type

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index