[CLUE-Tech] Portsentry caught someone ...
Brandon N
bneill at yahoo.com
Wed Feb 14 13:19:39 MST 2001
--- Kevin Cullis <kevincu at orci.com> wrote:
> Hey all,
>
> I saww the program "Hackers" on Frontline tonight and thought I'd
> check
> my var/log/messages. This is what I found:
>
> Feb 7 21:25:34 cullis portsentry[2603]: attackalert: Unknown Type:
> Packet Flags: SYN: 1 FIN: 1 ACK: 0 PSH: 0 URG: 0 RST: 0 from host:
> www.unionpower.com.tw/211.72.69.17 to TCP port: 53
Port 53 is DNS, it's possible he is checking to see what version of
BIND you are running. or it could be a misconfigured resolv.conf.
There is CERT advisory out on Bind,
http://www.cert.org/advisories/CA-2001-02.html
> Feb 7 21:25:34 cullis portsentry[2603]: attackalert: External
> command
> run for host: 211.72.69.17 using command: "/some/path/here/script
> 211.72.69.17 53"
> Feb 7 21:25:34 cullis portsentry[2603]: attackalert: Host
> 211.72.69.17
> has been blocked via wrappers with string: "ALL: 211.72.69.17"
> Feb 7 21:25:34 cullis portsentry[2603]: attackalert: Host
> 211.72.69.17
> has been blocked via dropped route using command: "/sbin/route add
> -host
> 211.72.69.17 reject"
I haven't used this program, but it looks like its configured to run an
external script, then reject that host. you don't have the script
configured, that is why you see the /some/path/here/script line
FYI, there is too much junk in messages to do a good check for stuff
like this, you might consider running syslog-ng (it's on freshmeat) you
can then separate messages by regular experession as well as the
standard methods.
Brandon
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail - only $35
a year! http://personal.mail.yahoo.com/
More information about the clue-tech
mailing list