1 |
Hi All |
2 |
|
3 |
|
4 |
|
5 |
I was contacted an hour or so aggo by some one claiming that they are |
6 |
being port scanned by an ip used on one of our production gentoo |
7 |
servers. |
8 |
|
9 |
|
10 |
|
11 |
The ip in question is only used to provide https and http for an |
12 |
oscommerce (php) shoppingcart (although heavily modified and patched) |
13 |
|
14 |
|
15 |
|
16 |
I must admit that although I am currently unix sysadmin at a small isp |
17 |
that I'm still a novice in many ways and thus I'm having trouble |
18 |
determining if this is actually happening I tried running iptraf but saw |
19 |
no signs of suspicious traffic but at that time scanning may well have |
20 |
stopped. |
21 |
|
22 |
I have snort and acid installed on the machine but have not been running |
23 |
it for some time since my superiors felt that it was wasting |
24 |
machine/mysql resources. |
25 |
|
26 |
Also running chkrootkit yielded no positives. |
27 |
|
28 |
|
29 |
|
30 |
Anny advice regarding commands to run to check for portscans or worms |
31 |
etc. would be most welcome. I try to keep the gentoo servers as up to |
32 |
date as possible but I wouldn't be surprised to learn of things I should |
33 |
do but never knew about |
34 |
|
35 |
|
36 |
|
37 |
Best Regards |
38 |
|
39 |
Jean Blignaut |