Re: Odd problem: thoughts...

From: Johannes Ullrich (jullrich@sans.org)
Date: 08/15/02 

Date: Thu, 15 Aug 2002 13:41:06 -0400
From: "Johannes Ullrich" <jullrich@sans.org>
To: "Robert Inder" <robert@interactive.co.uk>

> We have looked at the logs on the server, and there doesn't seem
> to be anything unusual. Similarly file modification dates for
> "key" binaries (e.g. apache, sshd).

thats a good first step. However, its times like this where prior
preparation helps (e.g. trip wire). If it is an rpm based system,
verify them using original rpms from CD.

> Only three people (plus the ISP) have login accounts (using
> ssh). The machine also allows ftp connections from a small range of
> addresses (proftpd). It also acts as a fall-back mail server.
> The web server has recently been upgraded to Apache 1.3.22.

1.3.22 is no good. it has the chunked encoding problem. The latest
is 1.3.26 (also make sure you have the latest openssl while you check
that).

> It is odd that the port on our server is reported to be port 80,
> which was being used by a busy web server throughout.

the log sent to you is a bit odd, and it could be a false positive.
(see below)

The log shows a denied packet from your server port 80, to the target
port 1080. The SYN and ACK flags are set. So this is just a SYN ACK
from your server, after the client connected to it from port 1080.
(if I read the log right...)

So in my opinion, its a false positive (the person that sent the log
is blocking 1080 regardless of flags).

However, it could be a syn-ack scan, which is often done just to
cause this conclusion.

Overall, it is always very hard to proof that you are not hacked :-/

> This email has been scanned for all viruses <BLAH BLAH BLAH>
> ________________________________________________________________________
> Aug 10 21:06:54 blackhole portsentry[2170]: attackalert: Unknown/Illegal scan type: TCP Packet Flags: FIN 0 SYN: 1 RST: 0 PUSH: 0 ACK: 1 URG: 0 UNUSED1: 0 UNUSED2: 0 scan from host 200.10.100.20/200.10.100.20 to TCP port: 1080 from TCP port: 80
> Aug 10 21:06:54 blackhole kernel: Packet log: input DENY eth1 PROTO=6 200.10.100.20:80 50.200.60.100:1080 L=52 S=0x00 I=64145 F=0x4000 T=51 (#1) 

-- 
---------------------------------------------------------------
jullrich@sans.org             Collaborative Intrusion Detection
                                    join http://www.dshield.org

Relevant Pages

  • RE: Some technical errors
    ... If the SMTP server is not running on port 25 TCP it is not a public ... Manager - Computer Assurance Services BDO Chartered Accountants & ...
    (Security-Basics)
  • Re: SRV RRs support in Internet Explorer?
    ... The port number could be implicit (i.e. ... At any point in time, a server could fail ... can't effectively LB or backup because NSs cache the records for the TTL ... I still don't see how SRV records would help backup or LB. ...
    (microsoft.public.win2000.dns)
  • Re: Still cant connect to RWW or OWA remotely
    ... I get 'cannot find server or dns error' on both ... TCP [port number]> to open the ports. ... As for error messages when I fail to access RWW with the laptop, ... network, no connection seems possible. ...
    (microsoft.public.windows.server.sbs)
  • Re: cannot send mail from Windows mail
    ... When a username/password combination doesn't work in Windows Mail, ... I mean I dont use it but as outgoing address for my ISP account. ... youir username and password are correct for your mail server". ... Ask your home ISP if they support SMTP on a port other than 25. ...
    (microsoft.public.windows.vista.mail)
  • Re: How to trigger server to reattempt printer connection
    ... The spooler does not log any SNMP data. ... Best practices and known issues when you install Windows Server 2003 Service ... Before restarting the spooler next time, create a new port name to the ... This does not happen often, but when it does, it seems to stay offline ...
    (microsoft.public.windows.server.general)
Quantcast