Hi, I'm hoping someone will have some insight as to these log entries. I've been running Portsentry for many months now (almost a year) it's never behaved this way before. I'm wondering what the person was doing that may have caused Portsentry to submit nine (9) almost simultaneous attack alerts, then report each attack from the same IP as if it was unique instead of the usual "ignoring" entry it makes for most persistent/subsequent attempts from the same IP. I appreciate any thoughts. the routing table shows only one reject entry of this IP. portsentry.blocked.tcp & portsentry.history files are pasted here....they seem to be identical so I pasted just one and only what's current. NOTE: multiple entries for the offender, as if Portsentry didn't realize it had already added it once. ****** 990585369 - 05/22/2001 22:36:09 Host: 210.178.206.65/210.178.206.65 Port: 111 TCP Blocked 990634133 - 05/23/2001 12:08:53 Host: wks-166-132-151.kscable.com/24.166.132.151 Port: 111 TCP Blocked 990654431 - 05/23/2001 17:47:11 Host: 210.178.236.98/210.178.236.98 Port: 111 TCP Blocked 990672315 - 05/23/2001 22:45:15 Host: dns1.mcdbr.com/209.102.183.2 Port: 111 TCP Blocked 990687222 - 05/24/2001 02:53:42 Host: cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 Port: 111 TCP Blocked 990687234 - 05/24/2001 02:53:54 Host: cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 Port: 111 TCP Blocked 990687246 - 05/24/2001 02:54:06 Host: cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 Port: 111 TCP Blocked 990687258 - 05/24/2001 02:54:18 Host: cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 Port: 111 TCP Blocked 990687269 - 05/24/2001 02:54:29 Host: cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 Port: 111 TCP Blocked 990687280 - 05/24/2001 02:54:40 Host: cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 Port: 111 TCP Blocked 990687292 - 05/24/2001 02:54:52 Host: cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 Port: 111 TCP Blocked 990687303 - 05/24/2001 02:55:03 Host: cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 Port: 111 TCP Blocked 990687315 - 05/24/2001 02:55:15 Host: cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 Port: 111 TCP Blocked 990701418 - 05/24/2001 06:50:18 Host: direct2internet.com/213.242.179.2 Port: 111 TCP Blocked logcheck stuff pasted here - NOTE: the multiple instances of "wrapping" and adding to the route table. Never a normal instance of ignoring. I snipped this stuff alot 'cause it went on and on. There were also attempts to extract the password file and access FTP on several of my machine's IPs Active System Attack Alerts =-=-=-=-=-=-=-=-=-=-=-=-=-= May 24 02:53:41 gw-crest portsentry[5820]: attackalert: Connect from host: cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 to TCP port: 111 May 24 02:53:42 gw-crest portsentry[5820]: attackalert: External command run for host: 195.215.212.38 using command: "/usr/local/psionic/portsentry/./portsentry.mailbot 195.215.212.38 111" May 24 02:53:42 gw-crest portsentry[5820]: attackalert: Host 195.215.212.38 has been blocked via wrappers with string: "ALL: 195.215.212.38" May 24 02:53:42 gw-crest portsentry[5820]: attackalert: Host 195.215.212.38 has been blocked via dropped route using command: "/sbin/route add -host 195.215.212.38 reject" May 24 02:53:43 gw-crest portsentry[5820]: attackalert: Connect from host: cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 to TCP port: 111 May 24 02:53:54 gw-crest portsentry[5820]: attackalert: External command run for host: 195.215.212.38 using command: "/usr/local/psionic/portsentry/./portsentry.mailbot 195.215.212.38 111" May 24 02:53:54 gw-crest portsentry[5820]: attackalert: Host 195.215.212.38 has been blocked via wrappers with string: "ALL: 195.215.212.38" May 24 02:53:54 gw-crest portsentry[5820]: attackalert: Host 195.215.212.38 has been blocked via dropped route using command: "/sbin/route add -host 195.215.212.38 reject" May 24 02:53:54 gw-crest portsentry[5820]: attackalert: Connect from host: cpe.195.215.212.38.arcnxl.paisdn.tele.dk/195.215.212.38 to TCP port: 111 Just to show that Portsentry is working the way I've come to expect for a later attack. May 24 06:50:17 gw-crest portsentry[5820]: attackalert: Connect from host: direct2internet.com/213.242.179.2 to TCP port: 111 May 24 06:50:18 gw-crest portsentry[5820]: attackalert: Possible stealth scan from unknown host to TCP port: 111 (accept failed) May 24 06:50:19 gw-crest portsentry[5820]: attackalert: Connect from host: direct2internet.com/213.242.179.2 to TCP port: 111 May 24 06:50:19 gw-crest portsentry[5820]: attackalert: Host: 213.242.179.2 is already blocked. Ignoring PS...I did report strange one above. The offending IP is a machine showing the default Apache/RedHat installation page and telnet is turned on..:) Crest Communications, Inc. [EMAIL PROTECTED] Beautiful Sunny Florida http://crestcommunications.com/ 352-495-9359, 425-732-9785 fax _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
