> Date: Fri, 25 Jan 2002 13:34:15 +0100 > From: "Kai r. s., euroweb as" <[EMAIL PROTECTED]>
> Its not that isolated incident,same server have got many scans today, If you're getting more probes from the same netblock, then it sounds as if someone is up to no good. Port 111/TCP and 111/UDP is used by the RPC portmapper... a favorite port for crackers to probe. If someoe's scanning you on that, I highly question their motives -- valid packets or not. > (here is some of them) [ snip ] > The file-check reported that came soon after where 33kb when normal its > about 2kb. Here is a few of the 100`s of records in the rapport almost all > where very similar. > > This is like 5% of log there is hundreds of changes: [ snip ] > This was in the file-change repport 22:01 tonight. there is allso one > running at 10:01 and if you see the time stamp on these files there is > something not right. If that was correct they should have been reported in Not sure why it didn't catch it in the first scan. If the 10:01 scan is indeed running, it does seem odd that files over two hours old weren't noted... > the file-change report at 10:01. And most of all what are this? could they Try opening a file of non-zero size in your favorite text editor. > be related to the strange scan..? And if so maybe all raq4 has this Indirectly. There must be a running process to create a file. It's possible that Portsentry created a temp file. Assuming no funny business, a couple of those files appear to have been created by Chili!ASP. > exploit.. If you wish to check for an exploit, run md5 hashes on several system binaries and compare with what you know to be correct. It's not 100% (one can do many things with a trojan kernel), but it is a very good way to give your system a quick check. > Thanks for all the help.. Eddy Brotsman & Dreger, Inc. - EverQuick Internet Division Phone: +1 (316) 794-8922 Wichita/(Inter)national Phone: +1 (785) 865-5885 Lawrence -- Date: Mon, 21 May 2001 11:23:58 +0000 (GMT) From: A Trap <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Please ignore this portion of my mail signature. These last few lines are a trap for address-harvesting spambots. Do NOT send mail to <[EMAIL PROTECTED]>, or you are likely to be blocked. _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
