| 1 |
I'm still trying to get some help from the guy who does the main network |
| 2 |
firewall (FREEBSD that I have no access to) he does run snort on there |
| 3 |
also but to get any thing out of him is not that easy. |
| 4 |
|
| 5 |
On the box itself I run shorewall but I allow any traffic from the box |
| 6 |
to outside (probably need to change that) |
| 7 |
|
| 8 |
Nothing seems out of place in bash history and /var/log/messages doesn't |
| 9 |
seem to contain any thing usefull (only log dumped or rejected stuff in |
| 10 |
the fire wall) |
| 11 |
|
| 12 |
Ive been resetting up snort (apparently the guys servers where scaned |
| 13 |
yesterday and this morning so possibly I might learn some thing) |
| 14 |
|
| 15 |
-----Original Message----- |
| 16 |
From: xyon [mailto:xyon@×××××××××××.com] |
| 17 |
Sent: Friday, January 20, 2006 3:02 PM |
| 18 |
To: gentoo-server@l.g.o |
| 19 |
Subject: Re: [gentoo-server] portscanning worm? |
| 20 |
|
| 21 |
I know this seems like a given, but have you checked your bash_history |
| 22 |
(if |
| 23 |
it still exists), /var/log/messages, etc? Do you use a kernel with |
| 24 |
modules |
| 25 |
enabled? Do you have a firewall between the server and the outside world |
| 26 |
that would yeild any insight as to what that suspected box is doing? |
| 27 |
|
| 28 |
|
| 29 |
On Fri, January 20, 2006 06:24, darren kirby wrote: |
| 30 |
> quoth the Jean Blignaut: |
| 31 |
>> Hi All |
| 32 |
> |
| 33 |
>> I was contacted an hour or so aggo by some one claiming that they are |
| 34 |
>> being port scanned by an ip used on one of our production gentoo |
| 35 |
>> servers. |
| 36 |
> |
| 37 |
> This could possibly be someone using your machine as a zombie host for |
| 38 |
an |
| 39 |
> idlescan: |
| 40 |
> http://www.insecure.org/nmap/idlescan.html |
| 41 |
> |
| 42 |
>> Best Regards |
| 43 |
>> |
| 44 |
>> Jean Blignaut |
| 45 |
> |
| 46 |
> -d |
| 47 |
> -- |
| 48 |
> darren kirby :: Part of the problem since 1976 :: |
| 49 |
http://badcomputer.org |
| 50 |
> "...the number of UNIX installations has grown to 10, with more |
| 51 |
> expected..." |
| 52 |
> - Dennis Ritchie and Ken Thompson, June 1972 |
| 53 |
> |
| 54 |
|
| 55 |
|
| 56 |
-- |
| 57 |
Steven McCoy |
| 58 |
Site Development/Manager |
| 59 |
IndigoRobot Services |
| 60 |
http://www.indigorobot.com |
| 61 |
mailto:stevenmccoy@×××××××××××.com |
| 62 |
|
| 63 |
-- |
| 64 |
gentoo-server@g.o mailing list |
| 65 |
|
| 66 |
|
| 67 |
-- |
| 68 |
gentoo-server@g.o mailing list |
Archives