NFR Back Officer Friendly alerts

From: Mel (rockchick@totalise.co.uk)
Date: 05/26/02


Date: Sun, 26 May 2002 21:20:53 +0100
To: security-basics@securityfocus.com
From: Mel <rockchick@totalise.co.uk>


Hi

I'm a newcomer to the Security arena and am currently trying to get to
grips with honeypots, IDSs and firewalls for my dissertation. I'm running
NFR's Back Officer Friendly on my home computer, configured to listen for
Back Orifice, FTP, Telnet, SMTP, HTTP, POP3 and IMAP2, and something weird
seems to have happened to it - I got scanned today on ports 3128 and 8080,
the first 2 being a possible squid scan, picked up by Snort which I'm also
running. The only comment in the BOF alert box was "Stopped listening for
HTTP". The 4 snort alerts are as follows:

[**] [1:618:1] INFO - Possible Squid Scan [**]
[Classification: Attempted Information Leak] [Priority: 2]
05/26-19:50:39.372438 208.47.179.41:2295 -> 213.107.68.205:3128
TCP TTL:114 TOS:0x0 ID:6157 IpLen:20 DgmLen:48 DF
******S* Seq: 0xF23507D Ack: 0x0 Win: 0x4000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:618:1] INFO - Possible Squid Scan [**]
[Classification: Attempted Information Leak] [Priority: 2]
05/26-19:50:42.346692 208.47.179.41:2295 -> 213.107.68.205:3128
TCP TTL:114 TOS:0x0 ID:6622 IpLen:20 DgmLen:48 DF
******S* Seq: 0xF23507D Ack: 0x0 Win: 0x4000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:620:1] SCAN Proxy attempt [**]
[Classification: Attempted Information Leak] [Priority: 2]
05/26-19:50:44.556800 208.47.179.41:2795 -> 213.107.68.205:8080
TCP TTL:114 TOS:0x0 ID:7112 IpLen:20 DgmLen:48 DF
******S* Seq: 0x10AE85FF Ack: 0x0 Win: 0x4000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

[**] [1:620:1] SCAN Proxy attempt [**]
[Classification: Attempted Information Leak] [Priority: 2]
05/26-19:50:47.549390 208.47.179.41:2795 -> 213.107.68.205:8080
TCP TTL:114 TOS:0x0 ID:7617 IpLen:20 DgmLen:48 DF
******S* Seq: 0x10AE85FF Ack: 0x0 Win: 0x4000 TcpLen: 28
TCP Options (4) => MSS: 1460 NOP NOP SackOK

My BOF now refuses to listen for HTTP, instead bringing up an "error" box
saying:
"Can't bind socket. If you are running a server that listens on port 80
you should disable HTTP listening".
I am not running a server. Can anyone explain what this means, how serious
these alerts are, and if there is a possibility my system has been compromised?

Many thanks
Melanie Woodward



Relevant Pages