[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SV: [cobalt-security] attackalert Unknown Type
- Subject: SV: [cobalt-security] attackalert Unknown Type
- From: "Kai r. s., euroweb as" <kai@xxxxxxxxxx>
- Date: Fri, 25 Jan 2002 06:26:08 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
>
> Looking at my /etc/services, I see "efficient short remote
> operations" for 259/TCP.
sounds as somthing no good to me..
> SYN+FIN is a somewhat unusual combination of TCP flags. Unusual,
> but valid. Something called T/TCP (transactional TCP) uses it,
> but it's not commonplace.
>
>
> Could be a stray packet. Could be a probe. If it's an isolated
> incident, I'd not worry too much. If you see other questionable
> packets, somebody might be portscanning you.
Its not that isolated,that server had many scans today,
(here is some of them)
Jan 24 14:16:29 www portsentry[22243]: attackalert: SYN/Normal scan from
host: 211.184.115.62/211.184.115.62 to TCP port: 111
Jan 24 14:16:29 www portsentry[22243]: attackalert: Host 211.184.115.62 has
been blocked via dropped route using command: "/sbin/ipchains -I input -s
211.184.115.62 -j DENY"
Jan 24 14:16:29 www portsentry[22243]: attackalert: SYN/Normal scan from
host: 211.184.115.62/211.184.115.62 to TCP port: 111
Jan 24 14:16:29 www portsentry[22243]: attackalert: Host:
211.184.115.62/211.184.115.62 is already blocked Ignoring
Jan 24 14:16:29 www portsentry[22243]: attackalert: SYN/Normal scan from
host: 211.184.115.62/211.184.115.62 to TCP port: 111
Jan 24 14:16:29 www portsentry[22243]: attackalert: Host 211.184.115.62 has
been blocked via dropped route using command: "/sbin/ipchains -I input -s
211.184.115.62 -j DENY"
Jan 24 14:16:29 www portsentry[22243]: attackalert: SYN/Normal scan from
host: 211.184.115.62/211.184.115.62 to TCP port: 111
Jan 24 14:16:29 www portsentry[22243]: attackalert: Host:
211.184.115.62/211.184.115.62 is already blocked Ignoring
The file-check reported that came soon after where 33kb when normal its
about 2kb. Here is a few of the 100`s of records in the rapport almost all
where very similar.
This is like 5% of log there is hundreds of changes:
-eRaq.net 01/24/02:22.00 FILE CHANGES!
WARNING: [raq.net] /tmp/.casp3000/chili-psm
[Times: Jan 22 19:08 2002 - Jan 24 07:49 2002]
WARNING: [raq.net] /tmp/chili-psm
[Times: Jan 22 19:08 2002 - Jan 24 07:49 2002]
ADDITION: [raq.net] /tmp/CTT0L1C4I
Inode Permissons Size Created On
457019 -rw------- 0 Jan 24 07:49 2002
ADDITION: [raq.net] /tmp/CTT0p5B2D
Inode Permissons Size Created On
456934 -rw------- 0 Jan 24 07:49 2002
ADDITION: [raq.net] /tmp/CTT0vVXCf
Inode Permissons Size Created On
456811 -rw------- 0 Jan 24 07:49 2002
ADDITION: [raq.net] /tmp/CTT11wcUS
Inode Permissons Size Created On
456951 -rw------- 471828 Jan 24 07:49 2002
ADDITION: [raq.net] /tmp/CTT1P5jhU
Inode Permissons Size Created On
456964 -rw------- 0 Jan 24 07:49 2002
ADDITION: [raq.net] /tmp/CTT1fKG65
Inode Permissons Size Created On
456781 -rw------- 0 Jan 24 07:49 2002
ADDITION: [raq.net] /tmp/CTT3DdOWY
Inode Permissons Size Created On
456860 -rw------- 67404 Jan 24 07:49 2002
This was in the file-change repport 22:01 tonight. there is allso one
running at 10:01 and if you see the time stamp on these files there is
something not right. If that was correct they should have been reported in
the file-change report at 10:01. And most of all what are this? could they
be related to the strange scan..? And if so maybe all raq4 has this
exploit..
Thanks for all the help..
Kai
> Eddy
>
> Brotsman & Dreger, Inc. - EverQuick Internet Division
> Phone: +1 (316) 794-8922 Wichita/(Inter)national
> Phone: +1 (785) 865-5885 Lawrence
>>