NFR Back Officer Friendly alerts

Tue, 28 May 2002 09:52:54 -0700 


Hi

I'm a newcomer to the Security arena and am currently trying to get to 
grips with honeypots, IDSs and firewalls for my dissertation.  I'm running 
NFR's Back Officer Friendly on my home computer, configured to listen for 
Back Orifice, FTP, Telnet, SMTP, HTTP, POP3 and IMAP2, and something weird 
seems to have happened to it - I got scanned today on ports 3128 and 8080, 
the first 2 being a possible squid scan, picked up by Snort which I'm also 
running.  The only comment in the BOF alert box was "Stopped listening for 
HTTP".  The 4 snort alerts are as follows:

[**] [1:618:1] INFO - Possible Squid Scan [**]
[Classification: Attempted Information Leak] [Priority: 2]
05/26-19:50:39.372438 208.47.179.41:2295 -> 213.107.68.205:3128
TCP TTL:114 TOS:0x0 ID:6157 IpLen:20 DgmLen:48 DF
******S* Seq: 0xF23507D  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:618:1] INFO - Possible Squid Scan [**]
[Classification: Attempted Information Leak] [Priority: 2]
05/26-19:50:42.346692 208.47.179.41:2295 -> 213.107.68.205:3128
TCP TTL:114 TOS:0x0 ID:6622 IpLen:20 DgmLen:48 DF
******S* Seq: 0xF23507D  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:620:1] SCAN Proxy attempt [**]
[Classification: Attempted Information Leak] [Priority: 2]
05/26-19:50:44.556800 208.47.179.41:2795 -> 213.107.68.205:8080
TCP TTL:114 TOS:0x0 ID:7112 IpLen:20 DgmLen:48 DF
******S* Seq: 0x10AE85FF  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:620:1] SCAN Proxy attempt [**]
[Classification: Attempted Information Leak] [Priority: 2]
05/26-19:50:47.549390 208.47.179.41:2795 -> 213.107.68.205:8080
TCP TTL:114 TOS:0x0 ID:7617 IpLen:20 DgmLen:48 DF
******S* Seq: 0x10AE85FF  Ack: 0x0  Win: 0x4000  TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK


My BOF now refuses to listen for HTTP, instead bringing up an "error" box 
saying:
"Can't bind socket.  If you are running a server that listens on port 80 
you should disable HTTP listening".
I am not running a server.  Can anyone explain what this means, how serious 
these alerts are, and if there is a possibility my system has been compromised?

Many thanks
Melanie Woodward

Reply via email to