Looks to me like something similar to the following happened:
1) (L)user on 203.21.16.18 connected (http) to your web server at 15:00 (so
far not too worrisome)
2) L(user) on 203.21.16.18 tries to ssh into your machine - WARNING! He has
no business doing this, you are being probed!
3) Authentication times out on ssh login - WARNING! He probably tried the
old openssh exploit (which has been plugged) and failed (or, a script is
trying to make connections to see if there is a machine there). YOU ARE
UNDER ATTACK!
4) (L)user has several http session open to your machine... He may not
realize that he is being forwarded to another machine, or perhaps he thinks
something funny is going on & is trying to figure it out...
5) at 15:12:25, (l)user tries to ftp into your machine... Connection times
out... He may (or may not) have tried the wu-ftpd overflow exploit (fixed
with the most recent update)... I imagine he is trying to figure out what
is going on with your network, etc...
Do you have PortSentry installed?
I don't think he got into your machine, but I'd definately say you're
getting probed (at the least)
> -----Original Message-----
> From: Larry Grover [SMTP:[EMAIL PROTECTED]]
> Sent: Tuesday, October 03, 2000 11:58 AM
> To: [EMAIL PROTECTED]
> Subject: log entries: innocent or crack attempt?
>
> This morning I found several entries in my logs which look suspicious to
> me. Can anyone enlighten me?
>
> Background. I have three machine networked machines:
>
> (1) The first acts as a firewall, does ip-masqing for machines (2) and (3)
> and port forwarding (ports 21, 80) for machine (2).
>
> (2) The second runs apache and wu-ftp, and handles connections made though
> the firewall on ports 21 and 80.
>
> (3) The third runs win95.
>
> Machines (1) and (2) run RH6.2, and have all package updates installed.
> OpenSSH also runs on both (1) and (2)
>
> Here are the log entries that look funny to me:
>
> (1) On the Firewall machine (a.b.c.d):
>
> Oct 3 00:48:12 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
> 203.21.16.18:80 a.b.c.d:80 L=40 S=0x00 I=39426 F=0x0000 T=23 (#32)
> Oct 3 00:48:13 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
> 203.21.16.18:2217 a.b.c.d:80 L=60 S=0x00 I=978 F=0x4000 T=45 SYN (#32)
> Oct 3 00:48:14 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
> 203.21.16.18:2217 a.b.c.d:80 L=52 S=0x00 I=993 F=0x4000 T=45 (#32)
> Oct 3 00:48:14 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
> 203.21.16.18:2217 a.b.c.d:80 L=52 S=0x00 I=994 F=0x4000 T=45 (#32)
> Oct 3 00:48:14 a.b.c.d sshd[10731]: Connection from 203.21.16.18 port
> 2225
> Oct 3 00:48:14 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
> 203.21.16.18:2217 a.b.c.d:80 L=52 S=0x00 I=1004 F=0x4000 T=45 (#32)
> Oct 3 00:58:14 a.b.c.d sshd[10731]: fatal: Timeout before authentication
> for 203.21.16.18.
> Oct 3 01:01:25 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
> 203.21.16.18:1 a.b.c.d:80 L=40 S=0x00 I=39426 F=0x0000 T=23 (#32)
> Oct 3 01:01:25 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
> 203.21.16.18:2 a.b.c.d:80 L=40 S=0x00 I=39426 F=0x0000 T=23 (#32)
> Oct 3 01:01:25 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
> 203.21.16.18:3 a.b.c.d:80 L=40 S=0x00 I=39426 F=0x0000 T=23 (#32)
> Oct 3 01:01:25 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
> 203.21.16.18:4 a.b.c.d:80 L=40 S=0x00 I=39426 F=0x0000 T=23 SYN (#32)
> Oct 3 01:01:25 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
> 203.21.16.18:5 a.b.c.d:80 L=40 S=0x00 I=39426 F=0x0000 T=23 (#32)
> Oct 3 01:01:25 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
> 203.21.16.18:4 a.b.c.d:80 L=40 S=0x00 I=16004 F=0x0000 T=236 (#32)
>
> (2) On the FTP/HTTP server (shoeless):
>
> Oct 2 15:12:25 shoeless in.ftpd[9647]: connect from 203.21.16.18
> Oct 2 15:25:33 shoeless ftpd[9647]: lost connection to
> mail.travelmate.com.au [203.21.16.18]
> Oct 2 15:25:33 shoeless ftpd[9647]: FTP session closed
> Oct 2 15:25:34 shoeless inetd[420]: pid 9647: exit status 255
>
> Note: the clock on shoeless is broken, and gives incorrect time.
>
>
> The machine attempting to connect (203.21.16.18) resolves to
> mail.travelmate.com.au -- a mail server?? So why would a mail server be
> attempting to connect to my machine? Why are the connection attempts
> coming from low ports (1-5)? Why attempt a ssh connection?
>
> I'd really appreciate your comments and suggestions.
>
> __
> Larry Grover, PhD
> Assoc Prof of Physiology
> Marshall Univ Sch of Med
>
>
>
>
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
