Hi Kai, > Jan 24 14:16:29 www portsentry[22243]: attackalert: SYN/Normal scan from > host: 211.184.115.62/211.184.115.62 to TCP port: 111
Port 111 is sunrpc. The "rcp" stands for "remote procedure call". This port is often used for NFS services. It's a service which has many known security issues and which is fairly often probed by would be attackers. However, this could also be a harmless guy trying to mount an NFS share, who mistyped the IP-address and accidentially typed in yours. > The file-check reported that came soon after where 33kb when normal its > about 2kb. Here is a few of the 100`s of records in the rapport almost all > where very similar. > > This is like 5% of log there is hundreds of changes: > > -eRaq.net 01/24/02:22.00 FILE CHANGES! > > WARNING: [raq.net] /tmp/.casp3000/chili-psm > [Times: Jan 22 19:08 2002 - Jan 24 07:49 2002] I guesstimate that ChiliSoft ASP was restarted on your machine. Did you reboot the server by chance? > ADDITION: [raq.net] /tmp/CTT0L1C4I > Inode Permissons Size Created On > 457019 -rw------- 0 Jan 24 07:49 2002 > > ADDITION: [raq.net] /tmp/CTT0p5B2D > Inode Permissons Size Created On > 456934 -rw------- 0 Jan 24 07:49 2002 Many different applications write temporary data to /tmp, which is usually not a problem at all. However, as anyone has read and write permissions to /tmp it's usually a good idea to monitor changes there as well. ChiliSoft for instance does create some odd files in there, or PHP sesssion information is also written to /tmp. However, these filenames here don't ring a bell with me. It could be legitimate, could be not. Hard to tell, Kai. I'd take a look at the files with an editor like "vi" or "pico" to see what kind of information they contain. From that it might be possible to determine which application created these files, which might be very helpful to know. Were there other filesystem modifications outside /tmp? -- With best regards, Michael Stauber [EMAIL PROTECTED] Unix/Linux Support Engineer _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
