Interesting... I'm also reading up on the idle scan and possibly that's what is going on here.
I would highly recommend restricting outbound traffic from that server. Even if this is a false positive it's a good idea to have things locked down more tightly. I'd also recommend disabling loadable module support in your kernel ;) Also, didn't that paper on the idle scan mention that more random IPIDs would help prevent idle scans? GrSecurity has just the feature to take care of this. You might want to check into using some of the GRSecurity features in the kernel. :) HTH! On Fri, January 20, 2006 08:18, Jean Blignaut wrote: > I'm still trying to get some help from the guy who does the main network > firewall (FREEBSD that I have no access to) he does run snort on there > also but to get any thing out of him is not that easy. > > On the box itself I run shorewall but I allow any traffic from the box > to outside (probably need to change that) > > Nothing seems out of place in bash history and /var/log/messages doesn't > seem to contain any thing usefull (only log dumped or rejected stuff in > the fire wall) > > Ive been resetting up snort (apparently the guys servers where scaned > yesterday and this morning so possibly I might learn some thing) > > -----Original Message----- > From: xyon [mailto:[EMAIL PROTECTED] > Sent: Friday, January 20, 2006 3:02 PM > To: [email protected] > Subject: Re: [gentoo-server] portscanning worm? > > I know this seems like a given, but have you checked your bash_history > (if > it still exists), /var/log/messages, etc? Do you use a kernel with > modules > enabled? Do you have a firewall between the server and the outside world > that would yeild any insight as to what that suspected box is doing? > > > On Fri, January 20, 2006 06:24, darren kirby wrote: >> quoth the Jean Blignaut: >>> Hi All >> >>> I was contacted an hour or so aggo by some one claiming that they are >>> being port scanned by an ip used on one of our production gentoo >>> servers. >> >> This could possibly be someone using your machine as a zombie host for > an >> idlescan: >> http://www.insecure.org/nmap/idlescan.html >> >>> Best Regards >>> >>> Jean Blignaut >> >> -d >> -- >> darren kirby :: Part of the problem since 1976 :: > http://badcomputer.org >> "...the number of UNIX installations has grown to 10, with more >> expected..." >> - Dennis Ritchie and Ken Thompson, June 1972 >> > > > -- > Steven McCoy > Site Development/Manager > IndigoRobot Services > http://www.indigorobot.com > mailto:[EMAIL PROTECTED] > > -- > [email protected] mailing list > > > -- > [email protected] mailing list > > -- Steven McCoy Site Development/Manager IndigoRobot Services http://www.indigorobot.com mailto:[EMAIL PROTECTED] -- [email protected] mailing list
