attack?!

Rund um die Sicherheit des Systems und die Applikationen
standbye
Posts: 146
Joined: 2002-10-16 18:05
Location: daheim :)

attack?!

Post by standbye » 2003-03-05 14:59

grad mal wieder log files durchforstet und folgendes grad gesehen bin mir nicht sicher norm dürft nix passiert sein aber trotzdem mal lieber posten bin mir aucn nicht sicher ob portsentry richtig funktioniert hat weil norm dürft er nach der 1. anfrage blocken oder?

Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: TCP SYN/Normal scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to TCP port: 109
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: TCP SYN/Normal scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to TCP port: 98
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: TCP SYN/Normal scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to TCP port: 119
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: TCP SYN/Normal scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to TCP port: 135
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: TCP SYN/Normal scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to TCP port: 156
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: TCP SYN/Normal scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to TCP port: 179
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: TCP SYN/Normal scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to TCP port: 311
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: TCP SYN/Normal scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to TCP port: 371
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: TCP SYN/Normal scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to TCP port: 389
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: TCP SYN/Normal scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to TCP port: 407
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: TCP SYN/Normal scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to TCP port: 427
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: TCP SYN/Normal scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to TCP port: 445
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: TCP SYN/Normal scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to TCP port: 512
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: TCP SYN/Normal scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to TCP port: 513
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: TCP SYN/Normal scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to TCP port: 799
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: TCP SYN/Normal scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to TCP port: 800
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: TCP SYN/Normal scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to TCP port: 901
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: TCP SYN/Normal scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to TCP port: 993
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: TCP SYN/Normal scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to TCP port: 995
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:43 p15107535 portsentry[27604]: attackalert: UDP scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to UDP port: 42
Mar 1 17:41:43 p15107535 portsentry[27604]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: TCP SYN/Normal scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to TCP port: 1002
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: TCP SYN/Normal scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to TCP port: 901
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: TCP SYN/Normal scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to TCP port: 993
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: TCP SYN/Normal scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to TCP port: 995
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:43 p15107535 portsentry[27604]: attackalert: UDP scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to UDP port: 42
Mar 1 17:41:43 p15107535 portsentry[27604]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: TCP SYN/Normal scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to TCP port: 1002
Mar 1 17:41:43 p15107535 portsentry[27602]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:44 p15107535 portsentry[27604]: attackalert: UDP scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to UDP port: 43
Mar 1 17:41:44 p15107535 portsentry[27604]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:44 p15107535 portsentry[27602]: attackalert: TCP SYN/Normal scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to TCP port: 1002
Mar 1 17:41:44 p15107535 portsentry[27602]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:44 p15107535 portsentry[27602]: attackalert: TCP SYN/Normal scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to TCP port: 1002
Mar 1 17:41:44 p15107535 portsentry[27602]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:44 p15107535 /usr/sbin/named[10538]: client 217.235.127.105#4337: message class could not be determined
Mar 1 17:41:45 p15107535 portsentry[27602]: attackalert: TCP SYN/Normal scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to TCP port: 1015
Mar 1 17:41:45 p15107535 portsentry[27602]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:45 p15107535 portsentry[27602]: attackalert: TCP SYN/Normal scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to TCP port: 1015
Mar 1 17:41:45 p15107535 portsentry[27602]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:46 p15107535 portsentry[27604]: attackalert: UDP scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to UDP port: 68
Mar 1 17:41:46 p15107535 portsentry[27604]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:46 p15107535 portsentry[27602]: attackalert: TCP SYN/Normal scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to TCP port: 1015
Mar 1 17:41:46 p15107535 portsentry[27602]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:46 p15107535 portsentry[27604]: attackalert: UDP scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to UDP port: 69
Mar 1 17:41:46 p15107535 portsentry[27604]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:47 p15107535 portsentry[27604]: attackalert: UDP scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to UDP port: 88
Mar 1 17:41:47 p15107535 portsentry[27604]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:48 p15107535 portsentry[27604]: attackalert: UDP scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to UDP port: 111
Mar 1 17:41:48 p15107535 portsentry[27604]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:49 p15107535 portsentry[27604]: attackalert: UDP scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to UDP port: 135
Mar 1 17:41:49 p15107535 portsentry[27604]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:51 p15107535 portsentry[27604]: attackalert: UDP scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to UDP port: 143
Mar 1 17:41:51 p15107535 portsentry[27604]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:52 p15107535 proftpd[26990]: connect from 217.235.127.105 (217.235.127.105)
Mar 1 17:41:52 p15107535 popper[26992]: connect from 217.235.127.105 (217.235.127.105)
Mar 1 17:41:52 p15107535 imapd[26997]: connect from 217.235.127.105 (217.235.127.105)
Mar 1 17:41:52 p15107535 portsentry[27604]: attackalert: UDP scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to UDP port: 162
Mar 1 17:41:52 p15107535 portsentry[27604]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:53 p15107535 portsentry[27604]: attackalert: UDP scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to UDP port: 445
Mar 1 17:41:53 p15107535 portsentry[27604]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:54 p15107535 portsentry[27604]: attackalert: UDP scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to UDP port: 514
Mar 1 17:41:54 p15107535 portsentry[27604]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:54 p15107535 portsentry[27604]: attackalert: UDP scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to UDP port: 517
Mar 1 17:41:54 p15107535 portsentry[27604]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:56 p15107535 portsentry[27604]: attackalert: UDP scan from host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 to UDP port: 749
Mar 1 17:41:56 p15107535 portsentry[27604]: attackalert: Host: pD9EB7F69.dip.t-dialin.net/217.235.127.105 is already blocked Ignoring
Mar 1 17:41:58 p15107535 proftpd[27000]: connect from 217.235.127.105 (217.235.127.105)
Mar 1 17:42:00 p15107535 /USR/SBIN/CRON[27007]: (root) CMD (/root/confixx/confixx_counterscript.pl)
Mar 1 17:42:02 p15107535 proftpd[26990]: p15107535.pureserver.info (pD9EB7F69.dip.t-dialin.net[217.235.127.105]) - FTP session opened.
Mar 1 17:42:02 p15107535 proftpd[26990]: p15107535.pureserver.info (pD9EB7F69.dip.t-dialin.net[217.235.127.105]) - FTP session closed.
Mar 1 17:42:08 p15107535 proftpd[27000]: p15107535.pureserver.info (pD9EB7F69.dip.t-dialin.net[217.235.127.105]) - FTP session opened.
Mar 1 17:42:08 p15107535 proftpd[27000]: p15107535.pureserver.info (pD9EB7F69.dip.t-dialin.net[217.235.127.105]) - FTP session closed.
Mar 1 17:42:08 p15107535 proftpd[27003]: connect from 217.235.127.105 (217.235.127.105)
Mar 1 17:42:08 p15107535 sshd[27016]: Did not receive identification string from 217.235.127.105.
Mar 1 17:42:18 p15107535 proftpd[27003]: p15107535.pureserver.info (pD9EB7F69.dip.t-dialin.net[217.235.127.105]) - FTP session opened.
Mar 1 17:42:18 p15107535 proftpd[27003]: p15107535.pureserver.info (pD9EB7F69.dip.t-dialin.net[217.235.127.105]) - FTP session closed.

das soweit sollte aber nix passiert sein oder? (sehe ja nur connetes und keine logins)

dea
Posts: 532
Joined: 2002-08-13 12:05

Re: attack?!

Post by dea » 2003-03-05 15:38

sieht für mich nach 'nem 'ganz normalen' ekelpickelscriptkiddiescan aus :/

das einzig unübliche daran ist imho die fehlende fokussierung auf einzelne ports hinter denen sich bekannte löcher auftun (443, 445, 57, etc.). ansonsten sehe ich sowas täglich in den logs :(

standbye
Posts: 146
Joined: 2002-10-16 18:05
Location: daheim :)

Re: attack?!

Post by standbye » 2003-03-05 15:41

nah is irgendwie das erste mal das sowas auftacht so kleinere dinger hat ich auch scho nur die connects auf die ports dann hat mich stutzig gemacht
thx

captaincrunch
Userprojekt
Userprojekt
Posts: 7066
Joined: 2002-10-09 14:30
Location: Dorsten

Re: attack?!

Post by captaincrunch » 2003-03-05 15:46

nur die connects auf die ports dann hat mich stutzig gemacht
Dann hast du da gerade ein Kiddie erwischt, dass statt eine SYN- (halboffenen) Scans einen Connect-Scan gefahren hat ... :wink:
DebianHowTo
echo "[q]sa[ln0=aln256%Pln256/snlbx]sb729901041524823122snlbxq"|dc

standbye
Posts: 146
Joined: 2002-10-16 18:05
Location: daheim :)

Re: attack?!

Post by standbye » 2003-03-05 16:45

hmm aber der portsentry script funktioniert nicht so richtig oder?

weil sonst würd der 2. scan scho nicht durchkommen sondern gleich geblockt werden oder?

floschi
Userprojekt
Userprojekt
Posts: 3247
Joined: 2002-07-18 08:13
Location: München

Re: attack?!

Post by floschi » 2003-03-05 17:35

wieso? Da steht doch laut und deutlich, dass der scannende Host bereits geblockt wird und er ihn deshalb ignoriert ;)