Re: Got Cracked?

Sun, 11 Feb 2001 15:58:57 -0800 

Charles Farinella wrote:

> On Sun, 11 Feb 2001, David L. Roberts wrote:
>
> > Made me look...
> >
> > I just noticed a little activity the past few days as well (my
> > system is up in M$ most of the time as I'm about the only one who
> > runs Linux here) - found these in the logs:
>
> I also found this (3 times actually):
>
> Feb  7 14:52:02 farinella kernel: Packet log: input DENY eth0 PROTO=6
> 64.108.57.132:2552 66.30.88.130:12346 L=48 S=0x00 I=7878 F=0x4000 T=113
> SYN (#23)
> Feb  7 14:52:02 farinella portsentry[776]: attackalert: Connect from host:
> adsl-pool24-132.detroit.mi.ameritech.net/64.108.57.132 to TCP port: 20034
> Feb  7 14:52:02 farinella portsentry[776]: attackalert: Host 64.108.57.132
> has been blocked via wrappers with string: "ALL: 64.108.57.132"
> Feb  7 14:52:05 farinella kernel: Packet log: input DENY eth0 PROTO=6
> 64.108.57.132:2552 66.30.88.130:12346 L=48 S=0x00 I=8024 F=0x4000 T=113
> SYN (#23)
> Feb  7 14:52:11 farinella kernel: Packet log: input DENY eth0 PROTO=6
> 64.108.57.132:2552 66.30.88.130:12346 L=48 S=0x00 I=8289 F=0x4000 T=113
> SYN (#23)
> Feb  7 15:29:24 farinella kernel: Packet log: input DENY eth0 PROTO=6
> 64.108.57.132:1884 66.30.88.130:12346 L=48 S=0x00 I=20206 F=0x4000 T=113
> SYN (#23)
>
> --charlie
>
> --
> Charles Farinella
> [EMAIL PROTECTED]
>
> **********************************************************
> To unsubscribe from this list, send mail to
> [EMAIL PROTECTED] with the following text in the
> *body* (*not* the subject line) of the letter:
> unsubscribe gnhlug
> **********************************************************

i actually run several things like in my ipchains rules i monitor all UDP
connections, i run tcplogd ( syn, ack, fin, null probe, x-three attacks.
etc.) i also have snort running on an internal machine monitoring exteranl
net and internal net. my firwall runs perl script(s) that riplogs.pl and
mails them of the server creating its own mail object with Mail::Mailer and
Net::SMTP and also i run automated log scanner ( 180 known httpd attacks) i
wrote against my web server logs and mails the output. its not that im
totally paraniod just dont feel like rebuilding my server for some pinhead
pulling a queer exlpoit when i have my pants down ~! hehe

-D


**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************

Reply via email to