1 |
Got feedback from the firewall guy: |
2 |
According to his snort logs the ip I was told did the portscan was not |
3 |
infatc the culprit, the reverse lookup domain name for that ip is |
4 |
responsible but at this stage it still has an old ip pointing to an old |
5 |
redhat 7 box that's over due for retirement but still has a few |
6 |
straggling websites (old big and buggy - one in particular is written in |
7 |
old perl cgi scripts) It seems my problem might just be bigger than I |
8 |
thought any ideas on how I might secure a red hat 7 box (muhahahaha) |
9 |
|
10 |
-----Original Message----- |
11 |
From: Jean Blignaut |
12 |
Sent: Friday, January 20, 2006 3:18 PM |
13 |
To: gentoo-server@l.g.o |
14 |
Subject: RE: [gentoo-server] portscanning worm? |
15 |
|
16 |
I'm still trying to get some help from the guy who does the main network |
17 |
firewall (FREEBSD that I have no access to) he does run snort on there |
18 |
also but to get any thing out of him is not that easy. |
19 |
|
20 |
On the box itself I run shorewall but I allow any traffic from the box |
21 |
to outside (probably need to change that) |
22 |
|
23 |
Nothing seems out of place in bash history and /var/log/messages doesn't |
24 |
seem to contain any thing usefull (only log dumped or rejected stuff in |
25 |
the fire wall) |
26 |
|
27 |
Ive been resetting up snort (apparently the guys servers where scaned |
28 |
yesterday and this morning so possibly I might learn some thing) |
29 |
|
30 |
-----Original Message----- |
31 |
From: xyon [mailto:xyon@×××××××××××.com] |
32 |
Sent: Friday, January 20, 2006 3:02 PM |
33 |
To: gentoo-server@l.g.o |
34 |
Subject: Re: [gentoo-server] portscanning worm? |
35 |
|
36 |
I know this seems like a given, but have you checked your bash_history |
37 |
(if |
38 |
it still exists), /var/log/messages, etc? Do you use a kernel with |
39 |
modules |
40 |
enabled? Do you have a firewall between the server and the outside world |
41 |
that would yeild any insight as to what that suspected box is doing? |
42 |
|
43 |
|
44 |
On Fri, January 20, 2006 06:24, darren kirby wrote: |
45 |
> quoth the Jean Blignaut: |
46 |
>> Hi All |
47 |
> |
48 |
>> I was contacted an hour or so aggo by some one claiming that they are |
49 |
>> being port scanned by an ip used on one of our production gentoo |
50 |
>> servers. |
51 |
> |
52 |
> This could possibly be someone using your machine as a zombie host for |
53 |
an |
54 |
> idlescan: |
55 |
> http://www.insecure.org/nmap/idlescan.html |
56 |
> |
57 |
>> Best Regards |
58 |
>> |
59 |
>> Jean Blignaut |
60 |
> |
61 |
> -d |
62 |
> -- |
63 |
> darren kirby :: Part of the problem since 1976 :: |
64 |
http://badcomputer.org |
65 |
> "...the number of UNIX installations has grown to 10, with more |
66 |
> expected..." |
67 |
> - Dennis Ritchie and Ken Thompson, June 1972 |
68 |
> |
69 |
|
70 |
|
71 |
-- |
72 |
Steven McCoy |
73 |
Site Development/Manager |
74 |
IndigoRobot Services |
75 |
http://www.indigorobot.com |
76 |
mailto:stevenmccoy@×××××××××××.com |
77 |
|
78 |
-- |
79 |
gentoo-server@g.o mailing list |
80 |
|
81 |
|
82 |
-- |
83 |
gentoo-server@g.o mailing list |
84 |
|
85 |
|
86 |
-- |
87 |
gentoo-server@g.o mailing list |