Got feedback from the firewall guy: According to his snort logs the ip I was told did the portscan was not infatc the culprit, the reverse lookup domain name for that ip is responsible but at this stage it still has an old ip pointing to an old redhat 7 box that's over due for retirement but still has a few straggling websites (old big and buggy - one in particular is written in old perl cgi scripts) It seems my problem might just be bigger than I thought any ideas on how I might secure a red hat 7 box (muhahahaha)
-----Original Message----- From: Jean Blignaut Sent: Friday, January 20, 2006 3:18 PM To: [email protected] Subject: RE: [gentoo-server] portscanning worm? I'm still trying to get some help from the guy who does the main network firewall (FREEBSD that I have no access to) he does run snort on there also but to get any thing out of him is not that easy. On the box itself I run shorewall but I allow any traffic from the box to outside (probably need to change that) Nothing seems out of place in bash history and /var/log/messages doesn't seem to contain any thing usefull (only log dumped or rejected stuff in the fire wall) Ive been resetting up snort (apparently the guys servers where scaned yesterday and this morning so possibly I might learn some thing) -----Original Message----- From: xyon [mailto:[EMAIL PROTECTED] Sent: Friday, January 20, 2006 3:02 PM To: [email protected] Subject: Re: [gentoo-server] portscanning worm? I know this seems like a given, but have you checked your bash_history (if it still exists), /var/log/messages, etc? Do you use a kernel with modules enabled? Do you have a firewall between the server and the outside world that would yeild any insight as to what that suspected box is doing? On Fri, January 20, 2006 06:24, darren kirby wrote: > quoth the Jean Blignaut: >> Hi All > >> I was contacted an hour or so aggo by some one claiming that they are >> being port scanned by an ip used on one of our production gentoo >> servers. > > This could possibly be someone using your machine as a zombie host for an > idlescan: > http://www.insecure.org/nmap/idlescan.html > >> Best Regards >> >> Jean Blignaut > > -d > -- > darren kirby :: Part of the problem since 1976 :: http://badcomputer.org > "...the number of UNIX installations has grown to 10, with more > expected..." > - Dennis Ritchie and Ken Thompson, June 1972 > -- Steven McCoy Site Development/Manager IndigoRobot Services http://www.indigorobot.com mailto:[EMAIL PROTECTED] -- [email protected] mailing list -- [email protected] mailing list -- [email protected] mailing list
