RE: [SLE] Help needed to interpret suspecious logentried - possible attack!

to start off with, the address: 209.91.109.182 had port scanned you. it also appears as if they have a dynamic IP setup on their machines, so it is more difficult to trace because the second log shows IP: 212.177.241.239 If you can, do a whois on those IP's and see if they relate to the same machines. The person/persons who were trying to get in your site had attempted to use multiple software exploits. What I recomend is disable as many of these services in which you don't need. Like TELNET. how often do you need to telnet into your machine from a remote area. (just a suggesstion, I don't know for sure). These little things will help stop intruders from getting any access to the innerds of your machine. what to do for the future: setup a couple of scripts that throws their IP address in your /etc/hosts.deny file whenenver a portscan is performed on your IP. hope this helps a little ryan

-----Original Message----- From: Joakim Schramm [mailto:joakim@humanet.se] Sent: Monday, February 14, 2000 2:29 PM To: suse-linux-e@suse.com Subject: [SLE] Help needed to interpret suspecious logentried - possible attack!

Some security expert out there willing to help me bend out those logentries in somewhat plain english? I suspect someone have tried to get access into my server. Had problem before with someone using it for spam when used an older version of sendmail, not secured for open relay. Updated to 8.9.3 and got rid of it, but now someone have manage anyway to send mail through my server, creating a pseudo@domain.com account. This was clear as i today started to get lots of returned mails from alo postmaster.

This is the firs even I found in the messages log:

Feb 1 07:12:50 ns scanlogd: From 209.91.109.182 to 195.22.70.181 ports 80, 23, 143, 110, 111, 2766, 25, 21, 22, ..., flags fSrpau, TOS 00, TTL 46, started at 07:12:50 Feb 1 07:12:51 ns sshd[542]: connect from 209.91.109.182 Feb 1 07:12:51 ns sshd[542]: log: Connection from 209.91.109.182 port 1661 Feb 1 07:12:51 ns in.telnetd[538]: connect from 209.91.109.182 Feb 1 07:12:51 ns popper[539]: connect from 209.91.109.182 Feb 1 07:12:51 ns in.telnetd[543]: connect from 209.91.109.182 Feb 1 07:12:51 ns telnetd[538]: ttloop: peer died: Invalid or incomplete multibyte or wide character Feb 1 07:12:51 ns sshd[542]: fatal: Did not receive ident string.

and this is the latest:

Feb 13 12:46:53 ns scanlogd: From 212.177.241.239 to 195.22.70.181 ports 80, 23, 143, 110, 111, 6000, 79, 53, 31337, ..., flags fSrpau, TOS 00, TTL 55, started at 12:46:53 Feb 13 12:46:54 ns in.telnetd[10751]: connect from root@212.177.241.239 Feb 13 12:46:54 ns popper[10752]: connect from root@212.177.241.239 Feb 13 12:46:54 ns telnetd[10751]: ttloop: peer died: Invalid or incomplete multibyte or wide character Feb 13 12:46:54 ns in.fingerd[10753]: connect from root@212.177.241.239 Feb 13 12:46:54 ns proftpd[10755]: ns.humanet.se (212.177.241.239[212.177.241.239]) - FTP session closed. Feb 13 12:46:54 ns sshd[10756]: connect from root@212.177.241.239 Feb 13 12:46:54 ns sshd[10756]: log: Connection from 212.177.241.239 port 1853 Feb 13 12:46:54 ns sshd[10756]: log: Could not reverse map address 212.177.241.239. Feb 13 12:46:55 ns sshd[10756]: fatal: Did not receive ident string. Feb 13 12:46:55 ns in.telnetd[10757]: connect from root@212.177.241.239 Feb 13 12:47:04 ns popper[10759]: connect from root@212.177.241.239 Feb 13 12:47:15 ns in.fingerd[10762]: connect from root@212.177.241.239 Feb 13 12:47:17 ns in.fingerd[10765]: connect from root@212.177.241.239

And this is how it looks in the mail log:

Feb 14 17:42:12 ns sendmail[18771]: RAA18771: from=<>, size=13529, class=0, pri=43529, nrcpts=1, msgid=<200002141631.LAA18550@rly-yb01.mx.aol.com>, proto=ESMTP, relay=aolmbd01.mx.aol.com [205.188.156.75] Feb 14 17:42:12 ns sendmail[18772]: RAA18771: to=, delay=00:00:01, xdelay=00:00:00, mailer=local, stat=Sent

and how to close this hole?

Thanks Joakim -- ------------------------------------------------------------------- ------------------------- If I wouldn't have to accept the (f)act of being a human... I would just love the (f)act of being a god!

-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com

Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/

-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/