1 |
Interesting... I'm also reading up on the idle scan and possibly that's |
2 |
what is going on here. |
3 |
|
4 |
I would highly recommend restricting outbound traffic from that server. |
5 |
Even if this is a false positive it's a good idea to have things locked |
6 |
down more tightly. I'd also recommend disabling loadable module support in |
7 |
your kernel ;) |
8 |
|
9 |
Also, didn't that paper on the idle scan mention that more random IPIDs |
10 |
would help prevent idle scans? GrSecurity has just the feature to take |
11 |
care of this. You might want to check into using some of the GRSecurity |
12 |
features in the kernel. :) |
13 |
|
14 |
HTH! |
15 |
|
16 |
On Fri, January 20, 2006 08:18, Jean Blignaut wrote: |
17 |
> I'm still trying to get some help from the guy who does the main network |
18 |
> firewall (FREEBSD that I have no access to) he does run snort on there |
19 |
> also but to get any thing out of him is not that easy. |
20 |
> |
21 |
> On the box itself I run shorewall but I allow any traffic from the box |
22 |
> to outside (probably need to change that) |
23 |
> |
24 |
> Nothing seems out of place in bash history and /var/log/messages doesn't |
25 |
> seem to contain any thing usefull (only log dumped or rejected stuff in |
26 |
> the fire wall) |
27 |
> |
28 |
> Ive been resetting up snort (apparently the guys servers where scaned |
29 |
> yesterday and this morning so possibly I might learn some thing) |
30 |
> |
31 |
> -----Original Message----- |
32 |
> From: xyon [mailto:xyon@×××××××××××.com] |
33 |
> Sent: Friday, January 20, 2006 3:02 PM |
34 |
> To: gentoo-server@l.g.o |
35 |
> Subject: Re: [gentoo-server] portscanning worm? |
36 |
> |
37 |
> I know this seems like a given, but have you checked your bash_history |
38 |
> (if |
39 |
> it still exists), /var/log/messages, etc? Do you use a kernel with |
40 |
> modules |
41 |
> enabled? Do you have a firewall between the server and the outside world |
42 |
> that would yeild any insight as to what that suspected box is doing? |
43 |
> |
44 |
> |
45 |
> On Fri, January 20, 2006 06:24, darren kirby wrote: |
46 |
>> quoth the Jean Blignaut: |
47 |
>>> Hi All |
48 |
>> |
49 |
>>> I was contacted an hour or so aggo by some one claiming that they are |
50 |
>>> being port scanned by an ip used on one of our production gentoo |
51 |
>>> servers. |
52 |
>> |
53 |
>> This could possibly be someone using your machine as a zombie host for |
54 |
> an |
55 |
>> idlescan: |
56 |
>> http://www.insecure.org/nmap/idlescan.html |
57 |
>> |
58 |
>>> Best Regards |
59 |
>>> |
60 |
>>> Jean Blignaut |
61 |
>> |
62 |
>> -d |
63 |
>> -- |
64 |
>> darren kirby :: Part of the problem since 1976 :: |
65 |
> http://badcomputer.org |
66 |
>> "...the number of UNIX installations has grown to 10, with more |
67 |
>> expected..." |
68 |
>> - Dennis Ritchie and Ken Thompson, June 1972 |
69 |
>> |
70 |
> |
71 |
> |
72 |
> -- |
73 |
> Steven McCoy |
74 |
> Site Development/Manager |
75 |
> IndigoRobot Services |
76 |
> http://www.indigorobot.com |
77 |
> mailto:stevenmccoy@×××××××××××.com |
78 |
> |
79 |
> -- |
80 |
> gentoo-server@g.o mailing list |
81 |
> |
82 |
> |
83 |
> -- |
84 |
> gentoo-server@g.o mailing list |
85 |
> |
86 |
> |
87 |
|
88 |
|
89 |
-- |
90 |
Steven McCoy |
91 |
Site Development/Manager |
92 |
IndigoRobot Services |
93 |
http://www.indigorobot.com |
94 |
mailto:stevenmccoy@×××××××××××.com |
95 |
|
96 |
-- |
97 |
gentoo-server@g.o mailing list |