snort log has a bunch of different attacks - should I be worried

Sat, 08 Mar 2003 06:59:48 -0800 

Hello,

I have been running a server for a few months now for a hobby site and
had installed snort. I have reports of a whole range of attacks on the
server IP including

The distribution of attack methods
===============================================
        #  of
  %    attacks   method
===============================================
32.23    39      SCAN Proxy attempt              
11.57    14      WEB-CGI finger access           
 8.26    10      WEB-MISC long basic authorization string 
 6.61    8       WEB-CGI redirect access         
 5.79    7       WEB-CGI tcsh access             
 5.79    7       STEALTH ACTIVITY (nmap XMAS scan) detection {TCP}
 5.79    7       INFO - Possible Squid Scan      
 4.13    5       WEB-IIS scripts access          
 4.13    5       BAD TRAFFIC tcp port 0 traffic  
 3.31    4       WEB-MISC count.cgi access       

Which of these should I be worried about. Also, some of these scans seem
to be going *out*. Has this box beeen compromised ? If so, how do I go
about tracking the compromise. I have a firewall running on this machine
with the following config (modified to remove irrelevant stuff). eth0 is
the external interface and eth1 the internal.

ganesh:/home/shri# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
block      all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination
block      all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain block (2 references)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere           tcp
dpt:https
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:www
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere           state NEW
DROP       all  --  anywhere             anywhere


ganesh:/home/shri# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

If this is not the right place to ask, I would very much appreciate if
someone could point me in the right direction.

Any and all info appreciated.


Thanks for your time.



Shri


-- 
------------------------------------------------------------------------
Shri Shrikumar             U R Byte Solutions
I.T. Consultant            Edinburgh, Scotland     Tel: (0131) 558 9990 
Email: [EMAIL PROTECTED]                             Web: www.urbyte.com


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED] 
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to