On Sun, Dec 28, 2014 at 8:59 PM, Albert Whale <
albert.wh...@it-security-inc.com> wrote:
> I just wanted to report that PSAD was found not running on one of the
> servers (a 32-bit version of Linux).
>
> Examining psad -S on another server, produces the following:
>
Did you install the new psad-2.2.4-pre2 release? The errors in the logs you
have below do not correspond to this release.
Thanks,
--Mike
>
> [/root] psad -S | more
> [-] psad: pid file /var/run/psad/psadwatchd.pid does not exist for
> psadwatchd on
> ns3.IT-Security-inc.com
> [+] psad (pid: 2677) %CPU: 0.1 %MEM: 0.2
> Running since: Sun Sep 28 14:58:16 2014
> Command line arguments: [none specified]
> Alert email address(es): ad...@abs-comptech.com
>
> [+] Writing 61.160.224.129 to socket; psad will remove the IP
> within 5 seconds.
> [+] Writing 71.6.135.131 to socket; psad will remove the IP
> within 5 seconds.
> [+] Writing 61.160.224.130 to socket; psad will remove the IP
> within 5 seconds.
> [+] Writing 93.174.93.51 to socket; psad will remove the IP
> within 5 seconds.
> [+] Writing 66.240.192.138 to socket; psad will remove the IP
> within 5 seconds.
> [+] Writing 113.108.21.16 to socket; psad will remove the IP
> within 5 seconds.
> [+] Writing 66.240.236.119 to socket; psad will remove the IP
> within 5 seconds.
> [+] Writing 125.64.35.68 to socket; psad will remove the IP
> within 5 seconds.
> [+] Writing 66.35.46.198 to socket; psad will remove the IP
> within 5 seconds.
> [+] Writing 117.21.191.204 to socket; psad will remove the IP
> within 5 seconds.
> [+] Writing 71.6.165.200 to socket; psad will remove the IP
> within 5 seconds.
> [+] Writing 202.109.143.35 to socket; psad will remove the IP
> within 5 seconds.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6955.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6957.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6959.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6961.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6955.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6957.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6959.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6961.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6955.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6957.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6959.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6961.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6955.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6957.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6959.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6961.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6955.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6957.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6959.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6961.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6955.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6957.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6959.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6961.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6955.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6957.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6959.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6961.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6955.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6957.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6959.
> Use of uninitialized value $dl in numeric eq (==) at /usr/sbin/psad line
> 6961.
> [+] Version: psad v2.2.3
>
> [+] Top 50 signature matches:
> "MISC Microsoft SQL Server communication attempt" (tcp), Count:
> 1864, Un
> ique sources: 650, Sid: 100205
> "MISC MS Terminal Server communication attempt" (tcp), Count:
> 1346, Uniq
>
> I might note that the server which had PSAD fail, was experiencing a HEAVY
> amount of ntp udp packests. Apparently the shorewall firewall permitted
> ntp (udp) packets, and the server was connected as a DDOS attack
> previously. If the counter wraps around, what happens to the program?
>
> Anyway, looking forward to the next update.
>
> Thank you.
> --
> Albert E. Whale, CEH CHS CISA CISSP
> *President - Chief Security Officer*
> http://www.IT-Security-inc.com - IT Security, Inc.
>
>
> Phone: 412-515-3010 | Email: albert.wh...@it-security-inc.com
> Cell: 412-889-6870
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming! The Go Parallel Website,
> sponsored by Intel and developed in partnership with Slashdot Media, is
> your
> hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials and more. Take a
> look and join the conversation now. http://goparallel.sourceforge.net
> _______________________________________________
> psad-discuss mailing list
> psad-discuss@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/psad-discuss
>
>
--
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
------------------------------------------------------------------------------
Dive into the World of Parallel Programming! The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net
_______________________________________________
psad-discuss mailing list
psad-discuss@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/psad-discuss
