Results 1 to 5 of 5

Thread: Possible Rooted Box

  1. #1
    Junior Member Ritalin's Avatar
    Join Date
    May 2006
    Posts
    6

    Possible Rooted Box

    I turned on my *nix boxed to discover these logs from snort:

    Events between 10 21 05:50:11 and 10 21 05:51:21
    Total events: 2
    Signatures recorded: 1
    Source IP recorded: 1
    Destination IP recorded: 1


    Events from same host to same destination using same method
    =========================================================================
    # of from to method
    =========================================================================
    2 192.168.15.106 204.15.193.132 (portscan) TCP Portsweep


    Percentage and number of events from a host to a destination
    ============================================================
    % # of from to
    ============================================================
    100.00 2 192.168.15.106 204.15.193.132


    Percentage and number of events from one host to any with same method
    ==============================================================
    % # of from method
    ==============================================================
    100.00 2 192.168.15.106 (portscan) TCP Portsweep


    Percentage and number of events to one certain host
    =================================================================
    % # of to method
    =================================================================
    100.00 2 204.15.193.132 (portscan) TCP Portsweep




    I whois the address only to get this back:

    Priority Colo PRICOLO-BLK02 (NET-204-15-192-0-1)
    204.15.192.0 - 204.15.199.255
    Ken Snider PRIORITYCOLO-204-15-193-128 (NET-204-15-193-128-1)
    204.15.193.128 - 204.15.193.143
    #ARIN WHOIS database, last updated 2006-10-20 19:10


    So i check my router logs to find this address repetidly trying to connect on random ports above 40000:

    202.139.89.134 45945
    202.139.89.134 45748
    202.139.89.134 45277
    202.139.89.134 45517
    202.139.89.134 45102
    202.139.89.134 45736
    202.139.89.134 45073
    202.139.89.134 45945
    202.139.89.134 45736
    202.139.89.134 45235
    202.139.89.134 45253
    202.139.89.134 45374
    202.139.89.134 45800
    202.139.89.134 45479
    202.139.89.134 45789
    202.139.89.134 45296
    202.139.89.134 45651
    202.139.89.134 45066
    202.139.89.134 45817

    (Snipped)

    So i whois this address to bring back:

    OrgName: Asia Pacific Network Information Centre
    OrgID: APNIC
    Address: PO Box 2131
    City: Milton
    StateProv: QLD
    PostalCode: 4064
    Country: AU

    ReferralServer: whois://whois.apnic.net

    NetRange: 202.0.0.0 - 203.255.255.255
    CIDR: 202.0.0.0/7
    NetName: APNIC-CIDR-BLK
    NetHandle: NET-202-0-0-0-1
    Parent:
    NetType: Allocated to APNIC
    NameServer: NS1.APNIC.NET
    NameServer: NS3.APNIC.NET
    NameServer: NS4.APNIC.NET
    NameServer: TINNIE.ARIN.NET
    NameServer: NS-SEC.RIPE.NET
    NameServer: DNS1.TELSTRA.NET
    Comment: This IP address range is not registered in the ARIN database.
    Comment: For details, refer to the APNIC Whois Database via
    Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
    Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
    Comment: for the Asia Pacific region. APNIC does not operate networks
    Comment: using this IP address range and is not able to investigate
    Comment: spam or abuse reports relating to these addresses. For more
    Comment: help, refer to http://www.apnic.net/info/faq/abuse
    Comment:
    RegDate: 1994-04-05
    Updated: 2005-05-20

    OrgTechHandle: AWC12-ARIN
    OrgTechName: APNIC Whois Contact
    OrgTechPhone: +61 7 3858 3100
    OrgTechEmail: search-apnic-not-arin@apnic.net


    I cannot seem to find any suspicouse file and tripwire has not logged anything changed.

    Im running debian with 2.6 kernel with only one running service, SSH.
    My box is fully updated and patched.


    Any help would be great.


    -Ritalin

  2. #2
    Junior Member Ritalin's Avatar
    Join Date
    May 2006
    Posts
    6

    Adding to my previouse post.

    I submited the ip into http://www.netwatchman.com and got these results.

    http://www.mynetwatchman.com/LID.asp?IID=188611252

    Cheers.

  3. #3
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    Looks like all they got was a portscan....nothing to worry about.


    Keep in mind snort is not a firewall, and only alerts you when stuff is happening. It will not block it...for blocking I'd suggest something like APF...I use that on some of my linux boxes in various DC's.
    =

  4. #4
    Senior Member bAgZ's Avatar
    Join Date
    Jul 2001
    Posts
    206
    It's just a port scan i would not worry about it. As long as your box is updated an patched you should be fine.
    ----------------------------------------------------------------------------------------------------------
    "If I'd asked my customers what they wanted, they'd have said a faster horse." ~ Henry Ford

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Crap sloshing up against your perimeter is common. There is no evidence of anything other than an alert that one was done against you from a host in Asia. I'd worry if I saw the activity stop. LOL.

    You're fine.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •