I also agree with Tom. The bad news is that you where attacked. The good
news is that it look like it was just a "Script Kiddy" that did the attack.
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Larry Grover
> Sent: Tuesday, October 03, 2000 10:58 AM
> To: [EMAIL PROTECTED]
> Subject: log entries: innocent or crack attempt?
>
>
> This morning I found several entries in my logs which look
> suspicious to me. Can anyone enlighten me?
>
> Background. I have three machine networked machines:
>
> (1) The first acts as a firewall, does ip-masqing for machines
> (2) and (3) and port forwarding (ports 21, 80) for machine (2).
>
> (2) The second runs apache and wu-ftp, and handles connections
> made though the firewall on ports 21 and 80.
>
> (3) The third runs win95.
>
> Machines (1) and (2) run RH6.2, and have all package updates
> installed. OpenSSH also runs on both (1) and (2)
>
> Here are the log entries that look funny to me:
>
> (1) On the Firewall machine (a.b.c.d):
>
> Oct 3 00:48:12 a.b.c.d kernel: Packet log: input ACCEPT eth0
> PROTO=6 203.21.16.18:80 a.b.c.d:80 L=40 S=0x00 I=39426 F=0x0000
> T=23 (#32)
> Oct 3 00:48:13 a.b.c.d kernel: Packet log: input ACCEPT eth0
> PROTO=6 203.21.16.18:2217 a.b.c.d:80 L=60 S=0x00 I=978 F=0x4000
> T=45 SYN (#32)
> Oct 3 00:48:14 a.b.c.d kernel: Packet log: input ACCEPT eth0
> PROTO=6 203.21.16.18:2217 a.b.c.d:80 L=52 S=0x00 I=993 F=0x4000
> T=45 (#32)
> Oct 3 00:48:14 a.b.c.d kernel: Packet log: input ACCEPT eth0
> PROTO=6 203.21.16.18:2217 a.b.c.d:80 L=52 S=0x00 I=994 F=0x4000
> T=45 (#32)
> Oct 3 00:48:14 a.b.c.d sshd[10731]: Connection from 203.21.16.18
> port 2225
> Oct 3 00:48:14 a.b.c.d kernel: Packet log: input ACCEPT eth0
> PROTO=6 203.21.16.18:2217 a.b.c.d:80 L=52 S=0x00 I=1004 F=0x4000
> T=45 (#32)
> Oct 3 00:58:14 a.b.c.d sshd[10731]: fatal: Timeout before
> authentication for 203.21.16.18.
> Oct 3 01:01:25 a.b.c.d kernel: Packet log: input ACCEPT eth0
> PROTO=6 203.21.16.18:1 a.b.c.d:80 L=40 S=0x00 I=39426 F=0x0000 T=23 (#32)
> Oct 3 01:01:25 a.b.c.d kernel: Packet log: input ACCEPT eth0
> PROTO=6 203.21.16.18:2 a.b.c.d:80 L=40 S=0x00 I=39426 F=0x0000 T=23 (#32)
> Oct 3 01:01:25 a.b.c.d kernel: Packet log: input ACCEPT eth0
> PROTO=6 203.21.16.18:3 a.b.c.d:80 L=40 S=0x00 I=39426 F=0x0000 T=23 (#32)
> Oct 3 01:01:25 a.b.c.d kernel: Packet log: input ACCEPT eth0
> PROTO=6 203.21.16.18:4 a.b.c.d:80 L=40 S=0x00 I=39426 F=0x0000
> T=23 SYN (#32)
> Oct 3 01:01:25 a.b.c.d kernel: Packet log: input ACCEPT eth0
> PROTO=6 203.21.16.18:5 a.b.c.d:80 L=40 S=0x00 I=39426 F=0x0000 T=23 (#32)
> Oct 3 01:01:25 a.b.c.d kernel: Packet log: input ACCEPT eth0
> PROTO=6 203.21.16.18:4 a.b.c.d:80 L=40 S=0x00 I=16004 F=0x0000
> T=236 (#32)
>
> (2) On the FTP/HTTP server (shoeless):
>
> Oct 2 15:12:25 shoeless in.ftpd[9647]: connect from 203.21.16.18
> Oct 2 15:25:33 shoeless ftpd[9647]: lost connection to
> mail.travelmate.com.au [203.21.16.18]
> Oct 2 15:25:33 shoeless ftpd[9647]: FTP session closed
> Oct 2 15:25:34 shoeless inetd[420]: pid 9647: exit status 255
>
> Note: the clock on shoeless is broken, and gives incorrect time.
>
>
> The machine attempting to connect (203.21.16.18) resolves to
> mail.travelmate.com.au -- a mail server?? So why would a mail
> server be attempting to connect to my machine? Why are the
> connection attempts coming from low ports (1-5)? Why attempt a
> ssh connection?
>
> I'd really appreciate your comments and suggestions.
>
> __
> Larry Grover, PhD
> Assoc Prof of Physiology
> Marshall Univ Sch of Med
>
>
>
>
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
>
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
