I'm still trying to get some help from the guy who does the main network firewall (FREEBSD that I have no access to) he does run snort on there also but to get any thing out of him is not that easy.
On the box itself I run shorewall but I allow any traffic from the box to outside (probably need to change that) Nothing seems out of place in bash history and /var/log/messages doesn't seem to contain any thing usefull (only log dumped or rejected stuff in the fire wall) Ive been resetting up snort (apparently the guys servers where scaned yesterday and this morning so possibly I might learn some thing) -----Original Message----- From: xyon [mailto:[EMAIL PROTECTED] Sent: Friday, January 20, 2006 3:02 PM To: [email protected] Subject: Re: [gentoo-server] portscanning worm? I know this seems like a given, but have you checked your bash_history (if it still exists), /var/log/messages, etc? Do you use a kernel with modules enabled? Do you have a firewall between the server and the outside world that would yeild any insight as to what that suspected box is doing? On Fri, January 20, 2006 06:24, darren kirby wrote: > quoth the Jean Blignaut: >> Hi All > >> I was contacted an hour or so aggo by some one claiming that they are >> being port scanned by an ip used on one of our production gentoo >> servers. > > This could possibly be someone using your machine as a zombie host for an > idlescan: > http://www.insecure.org/nmap/idlescan.html > >> Best Regards >> >> Jean Blignaut > > -d > -- > darren kirby :: Part of the problem since 1976 :: http://badcomputer.org > "...the number of UNIX installations has grown to 10, with more > expected..." > - Dennis Ritchie and Ken Thompson, June 1972 > -- Steven McCoy Site Development/Manager IndigoRobot Services http://www.indigorobot.com mailto:[EMAIL PROTECTED] -- [email protected] mailing list -- [email protected] mailing list
