Thanks for the response. Your analysis confirms my suspicions.
I do have PortSentry installed, and it has flagged other attempts in the past, but not
this one.
Since this attmept, I've been specifically blocking 203.21.16.18 on the firewall, and
on the internal server.
I'm also logging all connections and attempted connections, but I haven't seen
anything suspicious since.
I ran "rpm -Va" on the server, and everthing checked out OK.
Anything else I should do to verify the integrity of my systems?
Do you think the machine at 203.21.16.18 has been cracked and is being used to attempt
attacks on others? Should I contact the admin of that machine?
__
Larry Grover, PhD
Assoc Prof of Physiology
Marshall Univ Sch of Med
On Tue, 03 Oct 2000 16:24:00 -0400, "Burke, Thomas G."
<[EMAIL PROTECTED]> wrote:
>
> Looks to me like something similar to the following happened:
>
> 1) (L)user on 203.21.16.18 connected (http) to your web server at 15:00 (so
> far not too worrisome)
>
> 2) L(user) on 203.21.16.18 tries to ssh into your machine - WARNING! He has
> no business doing this, you are being probed!
>
> 3) Authentication times out on ssh login - WARNING! He probably tried the
> old openssh exploit (which has been plugged) and failed (or, a script is
> trying to make connections to see if there is a machine there). YOU ARE
> UNDER ATTACK!
>
> 4) (L)user has several http session open to your machine... He may not
> realize that he is being forwarded to another machine, or perhaps he thinks
> something funny is going on & is trying to figure it out...
>
> 5) at 15:12:25, (l)user tries to ftp into your machine... Connection times
> out... He may (or may not) have tried the wu-ftpd overflow exploit (fixed
> with the most recent update)... I imagine he is trying to figure out what
> is going on with your network, etc...
>
> Do you have PortSentry installed?
>
> I don't think he got into your machine, but I'd definately say you're
> getting probed (at the least)
>
>
>
>> -----Original Message-----
>> From: Larry Grover [SMTP:[EMAIL PROTECTED]]
>> Sent: Tuesday, October 03, 2000 11:58 AM
>> To: [EMAIL PROTECTED]
>> Subject: log entries: innocent or crack attempt?
>>
>> This morning I found several entries in my logs which look suspicious to
>> me. Can anyone enlighten me?
>>
>> Background. I have three machine networked machines:
>>
>> (1) The first acts as a firewall, does ip-masqing for machines (2) and (3)
>> and port forwarding (ports 21, 80) for machine (2).
>>
>> (2) The second runs apache and wu-ftp, and handles connections made though
>> the firewall on ports 21 and 80.
>>
>> (3) The third runs win95.
>>
>> Machines (1) and (2) run RH6.2, and have all package updates installed.
>> OpenSSH also runs on both (1) and (2)
>>
>> Here are the log entries that look funny to me:
>>
>> (1) On the Firewall machine (a.b.c.d):
>>
>> Oct 3 00:48:12 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
>> 203.21.16.18:80 a.b.c.d:80 L=40 S=0x00 I=39426 F=0x0000 T=23 (#32)
>> Oct 3 00:48:13 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
>> 203.21.16.18:2217 a.b.c.d:80 L=60 S=0x00 I=978 F=0x4000 T=45 SYN (#32)
>> Oct 3 00:48:14 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
>> 203.21.16.18:2217 a.b.c.d:80 L=52 S=0x00 I=993 F=0x4000 T=45 (#32)
>> Oct 3 00:48:14 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
>> 203.21.16.18:2217 a.b.c.d:80 L=52 S=0x00 I=994 F=0x4000 T=45 (#32)
>> Oct 3 00:48:14 a.b.c.d sshd[10731]: Connection from 203.21.16.18 port
>> 2225
>> Oct 3 00:48:14 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
>> 203.21.16.18:2217 a.b.c.d:80 L=52 S=0x00 I=1004 F=0x4000 T=45 (#32)
>> Oct 3 00:58:14 a.b.c.d sshd[10731]: fatal: Timeout before authentication
>> for 203.21.16.18.
>> Oct 3 01:01:25 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
>> 203.21.16.18:1 a.b.c.d:80 L=40 S=0x00 I=39426 F=0x0000 T=23 (#32)
>> Oct 3 01:01:25 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
>> 203.21.16.18:2 a.b.c.d:80 L=40 S=0x00 I=39426 F=0x0000 T=23 (#32)
>> Oct 3 01:01:25 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
>> 203.21.16.18:3 a.b.c.d:80 L=40 S=0x00 I=39426 F=0x0000 T=23 (#32)
>> Oct 3 01:01:25 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
>> 203.21.16.18:4 a.b.c.d:80 L=40 S=0x00 I=39426 F=0x0000 T=23 SYN (#32)
>> Oct 3 01:01:25 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
>> 203.21.16.18:5 a.b.c.d:80 L=40 S=0x00 I=39426 F=0x0000 T=23 (#32)
>> Oct 3 01:01:25 a.b.c.d kernel: Packet log: input ACCEPT eth0 PROTO=6
>> 203.21.16.18:4 a.b.c.d:80 L=40 S=0x00 I=16004 F=0x0000 T=236 (#32)
>>
>> (2) On the FTP/HTTP server (shoeless):
>>
>> Oct 2 15:12:25 shoeless in.ftpd[9647]: connect from 203.21.16.18
>> Oct 2 15:25:33 shoeless ftpd[9647]: lost connection to
>> mail.travelmate.com.au [203.21.16.18]
>> Oct 2 15:25:33 shoeless ftpd[9647]: FTP session closed
>> Oct 2 15:25:34 shoeless inetd[420]: pid 9647: exit status 255
>>
>> Note: the clock on shoeless is broken, and gives incorrect time.
>>
>>
>> The machine attempting to connect (203.21.16.18) resolves to
>> mail.travelmate.com.au -- a mail server?? So why would a mail server be
>> attempting to connect to my machine? Why are the connection attempts
>> coming from low ports (1-5)? Why attempt a ssh connection?
>>
>> I'd really appreciate your comments and suggestions.
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
