Re: [cobalt-security] PortSentry/Active System Attacks

[Lawrence Frewin of Accommodation.com]

An unusual report from Portsentry this evening:

May 14 21:00:34 raq portsentry[572]: attackalert: SYN/Normal scan from host:
boron.eu.sun.com/1$
May 14 21:00:34 raq portsentry[572]: attackalert: Host 192.18.1.5 has been
blocked via wrappers$
May 14 21:00:34 raq portsentry[572]: attackalert: Host 192.18.1.5 has been
blocked via dropped $
May 14 21:00:35 raq kernel: Packet log: input DENY eth0 PROTO=6
192.18.1.5:63474 x.x.x.x:$
May 14 21:00:36 raq kernel: Packet log: input DENY eth0 PROTO=6
192.18.1.5:63478 x.x.x.x:$
May 14 21:00:38 raq kernel: Packet log: input DENY eth0 PROTO=6
192.18.1.5:63474 x.x.x.x:$
May 14 21:00:39 raq kernel: Packet log: input DENY eth0 PROTO=6
192.18.1.5:63478 x.x.x.x:$
May 14 21:00:45 raq kernel: Packet log: input DENY eth0 PROTO=6
192.18.1.5:63474 x.x.x.x:$
May 14 21:00:45 raq kernel: Packet log: input DENY eth0 PROTO=6
192.18.1.5:63478 x.x.x.x:$
May 14 21:00:50 raq 4 kernel: Packet log: input DENY eth0 PROTO=6
192.18.1.5:63595 x.x.x.x:$

and so on....

Is there a valid reason why we would be seeing this activity from Sun
Microsystems?

Lawrence



----- Original Message -----
From: "Bill Irwin" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, May 14, 2001 2:30 PM
Subject: Re: [cobalt-security] PortSentry/Active System Attacks


> Chris Burton wrote:
> >
> > Hi,
> > If it was one of your customers then a reinstall do anything to help,
try
> > and find out if it was a customer that did it. If you dont have
customers
> > (or other users) then look at the state of the RAQ has it been
compromised
> > or not ?
> >
> > ChrisB.
> >
>
> Actually a better idea is to find out who did the scan. If you really
> want to be the strict admin, run a locate for various scripts that users
> may use in linux to run port scans. A good way to find out what those
> scripts may be is to visit www.antionline.com or www.securityfocus.com
> and make a list of the commonly used scripts for port scanning. Run
> "locate <scriptname>" and see if it lists anything. If you get a hit,
> make a note of the users acct. You can then go into their .bash_history
> file and find out if they did run commands for port scans.
> then:
>
> 1) warn them they are in violation of Terms Of Service (you did make a
> TOS for your customers didn't you?).
> 2) if they don't listen or initiate another scan with a 24 to 72 hour
> period, dump them as they are a big liability to your company and not
> worth the potential trouble no matter how much they may be paying.
> 3) review whether your customers need access to telnet or ssh, if no,
> then cut off all access.
>
> This may seem like a heavy handed approach by some people. However, when
> you look at the liability implications and possible trouble that may be
> caused by this person, it doesn't seem all that bad.
>
> <This opinions are strictly my own and do not constitute the opinions or
> positions of my employer>
>
> --
> Bill Irwin
> Technical Support Engineer
> Sun Microsystems, Inc.
> _______________________________________________
> cobalt-security mailing list
> [EMAIL PROTECTED]
> http://list.cobalt.com/mailman/listinfo/cobalt-security

_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security