paranoia – LinuxForum.hu

This topic has 4 hozzászólás, 4 résztvevő, and was last updated 19 years telt el by Bbt.

5 bejegyzés megtekintése - 1-5 / 5

Szerző

Bejegyzés
2006-06-27-21:03 #2064543
dotmind
Felhasználó
Ja, meg valamelyik nap egy norvég webszerverrõl ssh brute force támadást kaptam. Gondoom öket sikerült felnyomniuk.. Pár nap múlva egy másik szerintem ugyancsak feltört gépröl ftp brute force.. ez normális?
2006-06-28-05:10 #2064544
maszili
Felhasználó
dotmind wrote:

Ja, meg valamelyik nap egy norvég webszerverrõl ssh brute force támadást kaptam. Gondoom öket sikerült felnyomniuk.. Pár nap múlva egy másik szerintem ugyancsak feltört gépröl ftp brute force.. ez normális?

Nem normális de ez van…
Ezeknek legalább van értelme / célja, de ennek???

# interval interface proto source hostname port service destination hostname port service
19689 00:21:54:14 eth0 udp 212.92.23.6 gw.extralink.hu 68 bootpc 255.255.255.255 – 67 bootps
2006-07-05-08:51 #2064545
dotmind
Felhasználó
2006-07-07-08:03 #2064546
Bbt
Felhasználó
Ip cím megnéz, Iptables elejére egy nagy DROP-ot beraksz és kész. 🙂
Esetleg írj egy rövid scriptet rá, hogy ha ilyen jellegû logbejegyzés van, automatikusan tegyen be egy sort…
2009-12-04-19:58 #1883668
csaba
Felhasználó
Helló!

Ezt egy nap alatt dobta a snort:

[**] [122:1:0] (portscan) TCP Portscan [**]
06/27-11:04:22.849965 192.168.0.100 -> 192.168.0.50
PROTO255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:165 DF

[**] [122:1:0] (portscan) TCP Portscan [**]
06/27-11:04:32.476123 192.168.0.100 -> 192.168.0.50
PROTO255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:161 DF

[**] [122:1:0] (portscan) TCP Portscan [**]
06/27-11:05:33.477190 192.168.0.100 -> 192.168.0.50
PROTO255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:163 DF

[**] [122:1:0] (portscan) TCP Portscan [**]
06/27-11:06:34.405273 192.168.0.100 -> 192.168.0.50
PROTO255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:164 DF

[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
06/27-11:39:06.268568 85.66.43.253:3051 -> 192.168.0.50:80
TCP TTL:126 TOS:0x0 ID:60781 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xDA9D44D7 Ack: 0x7717BCFA Win: 0xFAF0 TcpLen: 20

[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
06/27-12:22:18.194490 85.66.136.116:1839 -> 192.168.0.50:80
TCP TTL:126 TOS:0x0 ID:52809 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xBAE6E4F3 Ack: 0x196221C6 Win: 0xFAF0 TcpLen: 20

[**] [1:2003:8] MS-SQL Worm propagation attempt [**]
[Classification: Misc Attack] [Priority: 2]
06/27-12:40:13.328158 61.139.106.247:3295 -> 192.168.0.50:1434
UDP TTL:95 TOS:0x0 ID:14203 IpLen:20 DgmLen:404
Len: 376
[Xref => http://vil.nai.com/vil/content/v_99992.htm%5D%5BXref =>
http://cgi.nessus.org/plugins/dump.php3?id=11214%5D%5BXref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649%5D%5BXref =>
http://www.securityfocus.com/bid/5311%5D%5BXref =>
http://www.securityfocus.com/bid/5310%5D

[**] [1:2050:7] MS-SQL version overflow attempt [**]
[Classification: Misc activity] [Priority: 3]
06/27-12:40:13.328158 61.139.106.247:3295 -> 192.168.0.50:1434
UDP TTL:95 TOS:0x0 ID:14203 IpLen:20 DgmLen:404
Len: 376
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=10674%5D%5BXref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649%5D%5BXref =>
http://www.securityfocus.com/bid/5310%5D

[**] [1:2003:8] MS-SQL Worm propagation attempt [**]
[Classification: Misc Attack] [Priority: 2]
06/27-14:45:40.339599 61.185.8.17:2797 -> 192.168.0.50:1434
UDP TTL:94 TOS:0x0 ID:46213 IpLen:20 DgmLen:404
Len: 376
[Xref => http://vil.nai.com/vil/content/v_99992.htm%5D%5BXref =>
http://cgi.nessus.org/plugins/dump.php3?id=11214%5D%5BXref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649%5D%5BXref =>
http://www.securityfocus.com/bid/5311%5D%5BXref =>
http://www.securityfocus.com/bid/5310%5D

[**] [1:2050:7] MS-SQL version overflow attempt [**]
[Classification: Misc activity] [Priority: 3]
06/27-14:45:40.339599 61.185.8.17:2797 -> 192.168.0.50:1434
UDP TTL:94 TOS:0x0 ID:46213 IpLen:20 DgmLen:404
Len: 376
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=10674%5D%5BXref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649%5D%5BXref =>
http://www.securityfocus.com/bid/5310%5D

[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
06/27-15:44:53.068811 85.186.160.247:4394 -> 192.168.0.50:80
TCP TTL:114 TOS:0x0 ID:24251 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x8796F4DA Ack: 0x11900EEA Win: 0xFAF0 TcpLen: 20

[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
06/27-15:48:02.151829 85.186.160.247:4394 -> 192.168.0.50:80
TCP TTL:114 TOS:0x0 ID:31713 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x8796EF26 Ack: 0x11900EEA Win: 0xFAF0 TcpLen: 20

[**] [122:17:0] (portscan) UDP Portscan [**]
06/27-17:55:18.976747 204.16.208.111 -> 192.168.0.50
PROTO255 TTL:0 TOS:0xC0 ID:61057 IpLen:20 DgmLen:168

[**] [122:17:0] (portscan) UDP Portscan [**]
06/27-20:01:52.982575 78.74.163.196 -> 192.168.0.50
PROTO255 TTL:0 TOS:0xC0 ID:3698 IpLen:20 DgmLen:168

[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
06/27-20:04:33.545971 85.27.12.240:2718 -> 192.168.0.50:80
TCP TTL:112 TOS:0x0 ID:55830 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x201B2F0D Ack: 0xE01103EF Win: 0xFAF0 TcpLen: 20

[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
06/27-20:38:57.464252 85.66.75.84:4390 -> 192.168.0.50:80
TCP TTL:124 TOS:0x0 ID:3174 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xFC0128DD Ack: 0x619ADAED Win: 0xFAF0 TcpLen: 20

[**] [1:1213:5] WEB-MISC backup access [**]
[Classification: Attempted Information Leak] [Priority: 2]
06/27-21:51:45.245605 85.66.41.105:64773 -> 192.168.0.50:80
TCP TTL:63 TOS:0x0 ID:27727 IpLen:20 DgmLen:756 DF
***AP*** Seq: 0xA216F13 Ack: 0x72A47EF8 Win: 0x3E96 TcpLen: 32
TCP Options (3) => NOP NOP TS: 739434 396238954

[**] [1:882:5] WEB-CGI calendar access [**]
[Classification: Attempted Information Leak] [Priority: 2]
06/27-21:52:05.738371 85.66.41.105:64773 -> 192.168.0.50:80
TCP TTL:63 TOS:0x0 ID:27913 IpLen:20 DgmLen:820 DF
***AP*** Seq: 0xA21FE92 Ack: 0x72A8C916 Win: 0x5AD6 TcpLen: 32
TCP Options (3) => NOP NOP TS: 759928 396258989

[**] [1:882:5] WEB-CGI calendar access [**]
[Classification: Attempted Information Leak] [Priority: 2]
06/27-21:52:05.763504 85.66.41.105:64771 -> 192.168.0.50:80
TCP TTL:63 TOS:0x0 ID:24633 IpLen:20 DgmLen:805 DF
***AP*** Seq: 0x9803F62 Ack: 0x729F77DD Win: 0x3E96 TcpLen: 32
TCP Options (3) => NOP NOP TS: 759953 396258992

[**] [1:882:5] WEB-CGI calendar access [**]
[Classification: Attempted Information Leak] [Priority: 2]
06/27-21:52:05.815897 85.66.41.105:64773 -> 192.168.0.50:80
TCP TTL:63 TOS:0x0 ID:27917 IpLen:20 DgmLen:808 DF
***AP*** Seq: 0xA220192 Ack: 0x72A8D996 Win: 0x5AD6 TcpLen: 32
TCP Options (3) => NOP NOP TS: 760006 396259460

[**] [1:882:5] WEB-CGI calendar access [**]
[Classification: Attempted Information Leak] [Priority: 2]
06/27-22:12:21.968845 85.66.43.251:61012 -> 192.168.0.50:80
TCP TTL:125 TOS:0x0 ID:3316 IpLen:20 DgmLen:693 DF
***AP*** Seq: 0xE31233DB Ack: 0xC082AF3E Win: 0x6270 TcpLen: 20

[**] [1:882:5] WEB-CGI calendar access [**]
[Classification: Attempted Information Leak] [Priority: 2]
06/27-22:12:34.825024 85.66.43.251:61012 -> 192.168.0.50:80
TCP TTL:125 TOS:0x0 ID:3782 IpLen:20 DgmLen:693 DF
***AP*** Seq: 0xE3126173 Ack: 0xC0860FFE Win: 0x5E63 TcpLen: 20

[**] [1:882:5] WEB-CGI calendar access [**]
[Classification: Attempted Information Leak] [Priority: 2]
06/27-22:12:35.788586 85.66.43.251:61011 -> 192.168.0.50:80
TCP TTL:125 TOS:0x0 ID:3819 IpLen:20 DgmLen:696 DF
***AP*** Seq: 0xC374D14F Ack: 0xC00FED24 Win: 0x6270 TcpLen: 20

[**] [1:1213:5] WEB-MISC backup access [**]
[Classification: Attempted Information Leak] [Priority: 2]
06/27-22:14:25.506749 85.66.41.105:64961 -> 192.168.0.50:80
TCP TTL:63 TOS:0x0 ID:7001 IpLen:20 DgmLen:1043 DF
***AP*** Seq: 0x5F335E87 Ack: 0xC8D0ED88 Win: 0x3B70 TcpLen: 32
TCP Options (3) => NOP NOP TS: 2099804 397599415

[**] [1:2003:8] MS-SQL Worm propagation attempt [**]
[Classification: Misc Attack] [Priority: 2]
06/27-22:31:04.835660 125.170.147.226:3438 -> 192.168.0.50:1434
UDP TTL:105 TOS:0xC0 ID:55264 IpLen:20 DgmLen:404
Len: 376
[Xref => http://vil.nai.com/vil/content/v_99992.htm%5D%5BXref =>
http://cgi.nessus.org/plugins/dump.php3?id=11214%5D%5BXref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649%5D%5BXref =>
http://www.securityfocus.com/bid/5311%5D%5BXref =>
http://www.securityfocus.com/bid/5310%5D

[**] [1:2050:7] MS-SQL version overflow attempt [**]
[Classification: Misc activity] [Priority: 3]
06/27-22:31:04.835660 125.170.147.226:3438 -> 192.168.0.50:1434
UDP TTL:105 TOS:0xC0 ID:55264 IpLen:20 DgmLen:404
Len: 376
[Xref => http://cgi.nessus.org/plugins/dump.php3?id=10674%5D%5BXref =>
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2002-0649%5D%5BXref =>
http://www.securityfocus.com/bid/5310%5D

[**] [119:15:1] (http_inspect) OVERSIZE REQUEST-URI DIRECTORY [**]
06/27-22:44:02.219873 85.66.47.61:3940 -> 192.168.0.50:80
TCP TTL:126 TOS:0x0 ID:38013 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0x6C352AB9 Ack: 0x37610F86 Win: 0xFAF0 TcpLen: 20

Normális ez? Hogy ennyi gyanús behatás ér egy még nem publikált szerver?
Szerző

Bejegyzés

5 bejegyzés megtekintése - 1-5 / 5

Be kell jelentkezni a hozzászóláshoz.