RE: [plug] Pinoy Admins - help: ACTIVE SYSTEM ATTACK!

Fritz Mesedilla Wed, 01 Aug 2001 03:27:29 -0700
portsentry is toooooo paranoid!

but it helps me a lot. you should configure it to be careful of simple
probes. at least you should just be aware that there are people probing your
servers.

i noticed portsentry blocks innocent proxy servers. someone from PLUG helped
me before identify a farm of pacific internet proxy servers being blocked by
portsentry.

since we don't use port 80 in our servers portsentry naturally blocked all
incoming requests for port 80. i just configured portsentry to be lenient to
port 80 requests.

maganda portsentry pero ingat lang kasi minsan kagaya ko ako mismo yung
na-blo-block! *grins*

Fritz Mesedilla
Systems Administrator

Summit Interactive, Inc.
FHM | Seventeen | Candy | Cosmopolitan | Preview | Good Housekeeping
femalenetwork.com | candymag.com | fhm.com.ph | cosmo.com.ph

Palm Pilot Software: TVSked - Download from the link below
----------------------------------------------------------------------------
http://mesedilla.tripod.com           +Basta Ikaw Lord

> -----Original Message-----
> From: Edwin Casimero [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, July 31, 2001 4:14 PM
> To: [EMAIL PROTECTED]
> Subject: [plug] Pinoy Admins - help: ACTIVE SYSTEM ATTACK!
>
>
> Tulong mga pinoy!
>
> Hacker alert!
> I installed port sentry and got the following message in my e-mail.
> What is this guy trying to do?
> Anything I can do?
>
> Maraming salamat
> -Edwin Casimero-
>
>
> >
> > Active System Attack Alerts
> > =-=-=-=-=-=-=-=-=-=-=-=-=-=
> > Jul 30 23:55:38 fil-web portsentry[866]: attackalert: Connect from
> host: ip252.kitchener3.dialup.canada.psi.net/154.5.110.252 to TCP port:
> 1080
> > Jul 30 23:55:38 fil-web portsentry[866]: attackalert: Host
> 154.5.110.252 has been blocked via wrappers with string: "ALL:
> 154.5.110.252"
> > Jul 30 23:55:38 fil-web portsentry[866]: attackalert: Host
> 154.5.110.252 has been blocked via dropped route using command:
> "/sbin/route add -host 154.5.110.252 gw 127.0.0.1"
> > Jul 30 23:55:38 fil-web portsentry[866]: attackalert: Connect from
> host: ip252.kitchener3.dialup.canada.psi.net/154.5.110.252 to TCP port:
> 1080
> > Jul 30 23:55:38 fil-web portsentry[866]: attackalert: Host:
> 154.5.110.252 is already blocked. Ignoring
> > Jul 30 23:55:38 fil-web portsentry[866]: attackalert: Connect from
> host: ip252.kitchener3.dialup.canada.psi.net/154.5.110.252 to TCP port:
> 1080
> > Jul 30 23:55:38 fil-web portsentry[866]: attackalert: Host:
> 154.5.110.252 is already blocked. Ignoring
> >
> > Security Violations
> > =-=-=-=-=-=-=-=-=-=
> > Jul 30 18:46:03 fil-web PAM_pwdb[23437]: authentication failure;
> (uid=0) -> root for sshd service
> > Jul 30 18:46:03 fil-web sshd[23437]: Failed password for ROOT from
> 202.57.120.151 port 1430
> > Jul 30 21:49:50 fil-web PAM_pwdb[24274]: authentication failure;
> (uid=0) -> fil-org for sshd service
> > Jul 30 21:49:50 fil-web sshd[24274]: Failed password for fil-org from
> 202.57.120.151 port 1040 ssh2
> > Jul 30 21:49:52 fil-web sshd[24274]: Disconnecting: Too many
> authentication failures for fil-org
> > Jul 30 21:49:52 fil-web PAM_pwdb[24274]: 6 more authentication
> failures; (uid=0) -> fil-org for sshd service
> > Jul 30 23:55:38 fil-web portsentry[866]: attackalert: Connect from
> host: ip252.kitchener3.dialup.canada.psi.net/154.5.110.252 to TCP port:
> 1080
> > Jul 30 23:55:38 fil-web portsentry[866]: attackalert: Host
> 154.5.110.252 has been blocked via wrappers with string: "ALL:
> 154.5.110.252"
> > Jul 30 23:55:38 fil-web portsentry[866]: attackalert: Host
> 154.5.110.252 has been blocked via dropped route using command:
> "/sbin/route add -host 154.5.110.252 gw 127.0.0.1"
> > Jul 30 23:55:38 fil-web portsentry[866]: attackalert: Connect from
> host: ip252.kitchener3.dialup.canada.psi.net/154.5.110.252 to TCP port:
> 1080
> > Jul 30 23:55:38 fil-web portsentry[866]: attackalert: Host:
> 154.5.110.252 is already blocked. Ignoring
> > Jul 30 23:55:38 fil-web portsentry[866]: attackalert: Connect from
> host: ip252.kitchener3.dialup.canada.psi.net/154.5.110.252 to TCP port:
> 1080
> > Jul 30 23:55:38 fil-web portsentry[866]: attackalert: Host:
> 154.5.110.252 is already blocked. Ignoring
> >
> > Unusual System Events
> > =-=-=-=-=-=-=-=-=-=-=
> > Jul 30 18:25:41 fil-web sshd[23229]: Accepted password for ROOT from
> 202.57.120.151 port 1428
> > Jul 30 18:46:03 fil-web PAM_pwdb[23437]: authentication failure;
> (uid=0) -> root for sshd service
> > Jul 30 18:46:03 fil-web sshd[23437]: Failed password for ROOT from
> 202.57.120.151 port 1430
>
> > Jul 30 18:46:08 fil-web sshd[23437]: Accepted password for ROOT from
> 202.57.120.151 port 1430
> > Jul 30 21:49:50 fil-web PAM_pwdb[24274]: authentication failure;
> (uid=0) -> fil-org for sshd service
> > Jul 30 21:49:50 fil-web sshd[24274]: Failed password for fil-org from
> 202.57.120.151 port 1040 ssh2
> > Jul 30 21:49:52 fil-web last message repeated 6 times
> > Jul 30 21:49:52 fil-web sshd[24274]: Disconnecting: Too many
> authentication failures for fil-org
> > Jul 30 21:49:52 fil-web PAM_pwdb[24274]: 6 more authentication
> failures; (uid=0) -> fil-org for sshd service
> > Jul 30 21:49:52 fil-web PAM_pwdb[24274]: service(sshd) ignoring max
> retries; 7 > 3
> > Jul 30 23:55:38 fil-web portsentry[866]: attackalert: Connect from
> host: ip252.kitchener3.dialup.canada.psi.net/154.5.110.252 to TCP port:
> 1080
> > Jul 30 23:55:38 fil-web portsentry[866]: attackalert: Host
> 154.5.110.252 has been blocked via wrappers with string: "ALL:
> 154.5.110.252"
> > Jul 30 23:55:38 fil-web portsentry[866]: attackalert: Host
> 154.5.110.252 has been blocked via dropped route using command:
> "/sbin/route add -host 154.5.110.252 gw 127.0.0.1"
> > Jul 30 23:55:38 fil-web portsentry[866]: attackalert: Connect from
> host: ip252.kitchener3.dialup.canada.psi.net/154.5.110.252 to TCP port:
> 1080
> > Jul 30 23:55:38 fil-web portsentry[866]: attackalert: Host:
> 154.5.110.252 is already blocked. Ignoring
> > Jul 30 23:55:38 fil-web portsentry[866]: attackalert: Connect from
> host: ip252.kitchener3.dialup.canada.psi.net/154.5.110.252 to TCP port:
> 1080
> > Jul 30 23:55:38 fil-web portsentry[866]: attackalert: Host:
> 154.5.110.252 is already blocked. Ignoring
> > Jul 31 16:02:01 fil-web anacron[27338]: Updated timestamp for job
> `cron.daily' to 2001-07-31
> >
> _
> Philippine Linux Users Group. Web site and archives at
> http://plug.linux.org.ph
> To leave: send "unsubscribe" in the body to
> [EMAIL PROTECTED]
>
> To subscribe to the Linux Newbies' List: send "subscribe" in the body to
> [EMAIL PROTECTED]
>

_
Philippine Linux Users Group. Web site and archives at http://plug.linux.org.ph
To leave: send "unsubscribe" in the body to [EMAIL PROTECTED]

To subscribe to the Linux Newbies' List: send "subscribe" in the body to 
[EMAIL PROTECTED]
RE: [plug] Pinoy Admins - help: ACTIVE SYSTEM ATTACK!

Reply via email to
