Mailinglist Archive: opensuse (3337 mails)

< Previous Next >
maybe attacked
  • From: Lorenzo Cerini <lorenzo@xxxxxxxxxxxx>
  • Date: Thu, 20 Apr 2006 11:55:04 +0200
  • Message-id: <44475A78.8030900@xxxxxxxxxxxx>
This morning we found an unused server(suse10) in our office in a strange state.
There was two irc connection opened from our server to another one, and two connection on port 4444 from our server to another one. Since ot was not used in production it was natted but not well covered with firewall (forward policy on connection from it to wan). Looking at logs
we found either on it and on the real productive server (suse9.2) a lot of try on ssh.

like...
Apr 19 12:38:37 linux sshd[27981]: Invalid user postmaster from 200.13.195.11
Apr 19 12:38:37 linux sshd[27981]: reverse mapping checking getaddrinfo for 200_13_195_11.colomsat.net.co failed - POSSIBLE$
Apr 19 12:38:39 linux sshd[27984]: Invalid user postmaster from 200.13.195.11
Apr 19 12:38:39 linux sshd[27984]: reverse mapping checking getaddrinfo for 200_13_195_11.colomsat.net.co failed - POSSIBLE$
Apr 19 12:38:41 linux sshd[27986]: Invalid user lisa from 200.13.195.11

Then, i think attacker was able to do something, since i found:

Apr 19 19:00:51 linux syslog-ng[5637]: STATS: dropped 0
Apr 19 20:00:51 linux syslog-ng[5637]: STATS: dropped 0
Apr 19 21:00:51 linux syslog-ng[5637]: STATS: dropped 0
Apr 19 22:00:51 linux syslog-ng[5637]: STATS: dropped 0
Apr 19 23:00:51 linux syslog-ng[5637]: STATS: dropped 0
Apr 19 23:17:36 linux kernel: =36424 DPT=80 LEN=9
Apr 19 23:17:36 linux kernel: >B9 D00 PREC=0x00 TTL=64 ID=1862 DF PROTO=UDP SPT=36423 DPT=80 LEN=9
Apr 19 23:17:42 linux kernel: =36423 DPT=80 LEN=9
Apr 19 23:17:48 linux kernel: 0 PREC=0x00 TTL=64 ID=7144 DF PROTO=UDP SPT=36424 DPT=80 LEN=9
Apr 19 23:17:48 linux kernel: BANDWIDTH_OUT:IN=.9 DST=66.252.26.00 PREC=0x00 TTL=64 ID=7145 DF PROTO=UDP SPT=36424 DPT=80 L$
Apr 19 23:17:49 linux kernel: BANDWIDTH_.199 DST=66.52.26.209 LE00 PREC=0x00 TTL=64 ID=1765 DF PROTO=UDP SPT=36423 DPT=80 L$
Apr 19 23:18:01 linux kernel: =66.252.26.209 LEN=29 TOS=0x00 PREC=0x00 TTL=64 ID=64442 DF PROTO=UDP SPT=36424 DPT=80 LEN=9
Apr 19 23:18:07 linux kernel: B.199 DST=66.52.2600 PREC=0x00 TTL=64 ID=2692 DF PROTO=UDP SPT=36423 DPT=80 LEN=9
Apr 19 23:18:09 linux kernel: =36424 DPT=80 LEN=9
Apr 19 23:18:12 linux kernel: B=342 LEN=9
Apr 19 23:18:13 linux kernel: BANDW.1952.00 PREC=0x00 TTL=64 ID=1534 DF PROTO=UDP SPT=36424 DPT=80 LEN=9
Apr 19 23:18:13 linux kernel: T=eth0 SRC=192.168.1.199 DST=66.252.26.209 LEN=29 TOS=0x00 PREC=0x00 TTL=64 ID=9862 DF PROTO=$
Apr 19 23:18:13 linux kernel: BANDWIDTH_OUT:eth0 SRC=168.209 LEN=29 TOS=0x00 PREC=0x00 TTL=64 ID=9901 DF PROTO=UDP SPT=3642$
Apr 19 23:18:26 linux kernel: 0 PREC=PROTO>BAND.199 D52.00 PREC=0x00 TTL=64 ID=3335 DF PROTO=UDP SPT=36424 DPT=80 LEN=9
Apr 19 23:18:28 linux kernel: 2 DF PROTO=UDP SPT=36423 DPT=80 LEN=9
Apr 19 23:18:29 linux kernel: PREC=36424 DPT=80 LEN=9

And so on ...
I'm not anger or wathever since that was just a test server, but it would be nice
to have an advice about where to have a look to undestand the matter.
TIA
L.


< Previous Next >
This Thread
Follow Ups