| 1 |
Hi All |
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
I was contacted an hour or so aggo by some one claiming that they are |
| 6 |
being port scanned by an ip used on one of our production gentoo |
| 7 |
servers. |
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
The ip in question is only used to provide https and http for an |
| 12 |
oscommerce (php) shoppingcart (although heavily modified and patched) |
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
I must admit that although I am currently unix sysadmin at a small isp |
| 17 |
that I'm still a novice in many ways and thus I'm having trouble |
| 18 |
determining if this is actually happening I tried running iptraf but saw |
| 19 |
no signs of suspicious traffic but at that time scanning may well have |
| 20 |
stopped. |
| 21 |
|
| 22 |
I have snort and acid installed on the machine but have not been running |
| 23 |
it for some time since my superiors felt that it was wasting |
| 24 |
machine/mysql resources. |
| 25 |
|
| 26 |
Also running chkrootkit yielded no positives. |
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
Anny advice regarding commands to run to check for portscans or worms |
| 31 |
etc. would be most welcome. I try to keep the gentoo servers as up to |
| 32 |
date as possible but I wouldn't be surprised to learn of things I should |
| 33 |
do but never knew about |
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
Best Regards |
| 38 |
|
| 39 |
Jean Blignaut |
Archives