-
October 21st, 2006, 11:34 AM
#1
Junior Member
Possible Rooted Box
I turned on my *nix boxed to discover these logs from snort:
Events between 10 21 05:50:11 and 10 21 05:51:21
Total events: 2
Signatures recorded: 1
Source IP recorded: 1
Destination IP recorded: 1
Events from same host to same destination using same method
=========================================================================
# of from to method
=========================================================================
2 192.168.15.106 204.15.193.132 (portscan) TCP Portsweep
Percentage and number of events from a host to a destination
============================================================
% # of from to
============================================================
100.00 2 192.168.15.106 204.15.193.132
Percentage and number of events from one host to any with same method
==============================================================
% # of from method
==============================================================
100.00 2 192.168.15.106 (portscan) TCP Portsweep
Percentage and number of events to one certain host
=================================================================
% # of to method
=================================================================
100.00 2 204.15.193.132 (portscan) TCP Portsweep
I whois the address only to get this back:
Priority Colo PRICOLO-BLK02 (NET-204-15-192-0-1)
204.15.192.0 - 204.15.199.255
Ken Snider PRIORITYCOLO-204-15-193-128 (NET-204-15-193-128-1)
204.15.193.128 - 204.15.193.143
#ARIN WHOIS database, last updated 2006-10-20 19:10
So i check my router logs to find this address repetidly trying to connect on random ports above 40000:
202.139.89.134 45945
202.139.89.134 45748
202.139.89.134 45277
202.139.89.134 45517
202.139.89.134 45102
202.139.89.134 45736
202.139.89.134 45073
202.139.89.134 45945
202.139.89.134 45736
202.139.89.134 45235
202.139.89.134 45253
202.139.89.134 45374
202.139.89.134 45800
202.139.89.134 45479
202.139.89.134 45789
202.139.89.134 45296
202.139.89.134 45651
202.139.89.134 45066
202.139.89.134 45817
(Snipped)
So i whois this address to bring back:
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
ReferralServer: whois://whois.apnic.net
NetRange: 202.0.0.0 - 203.255.255.255
CIDR: 202.0.0.0/7
NetName: APNIC-CIDR-BLK
NetHandle: NET-202-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS-SEC.RIPE.NET
NameServer: DNS1.TELSTRA.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/info/faq/abuse
Comment:
RegDate: 1994-04-05
Updated: 2005-05-20
OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3100
OrgTechEmail: search-apnic-not-arin@apnic.net
I cannot seem to find any suspicouse file and tripwire has not logged anything changed.
Im running debian with 2.6 kernel with only one running service, SSH.
My box is fully updated and patched.
Any help would be great.
-Ritalin
-
October 21st, 2006, 12:53 PM
#2
Junior Member
Adding to my previouse post.
-
October 21st, 2006, 05:26 PM
#3
Looks like all they got was a portscan....nothing to worry about.
Keep in mind snort is not a firewall, and only alerts you when stuff is happening. It will not block it...for blocking I'd suggest something like APF...I use that on some of my linux boxes in various DC's.
-
October 21st, 2006, 08:03 PM
#4
It's just a port scan i would not worry about it. As long as your box is updated an patched you should be fine.
----------------------------------------------------------------------------------------------------------
"If I'd asked my customers what they wanted, they'd have said a faster horse." ~ Henry Ford
-
October 22nd, 2006, 02:46 PM
#5
Crap sloshing up against your perimeter is common. There is no evidence of anything other than an alert that one was done against you from a host in Asia. I'd worry if I saw the activity stop. LOL.
You're fine.
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|