Re: error.log entry

Moe Trin skrev:
On Tue, 30 Jan 2007, in the Usenet newsgroup comp.security.firewalls, in
article <W7Lvh.30739$E02.12584@xxxxxxxxxxxxxxx>, Anders wrote:

Sebastian Gottschalk skrev:

Anders wrote:

I have make it sure that (what ever it is) all IP's (there was only 8 of
them) from this ISP now is blocked

Did you do a whois lookup to determine this? It is your server, and your
access rules apply, but don't be overly (or under) reactive.


Yes, I did use Net-Tool to see who it was from.

-----
inetnum: 213.215.135.120 - 213.215.135.127
netname: CINSEDO-NET-1
descr: CENTRO INTERREGIONALE DI STUDI E DOCUMENTAZIONE
country: IT
-----

Wonderful idea, since IPs are so unique...

The O/P showed only one IP in the log - 213.215.135.124 which does not
resolve. A whois query shows the address to be assigned to COLT Internet
Italy, and sub-assigned to Centro Interregionale di Studi e Documentazione
in Rome.

Mostly the IP's is unique

What-ever. Colt Telcom, whether from France, Germany, Italy, Sweden, or
the UK has never responded to my abuse complaints. My users have not
complained to me about the resulting blocks that were put in place. If
that inconveniences some customer of Colt Telcom, they can discuss the
problem with _their_ ISP.


I looked up "Centro Interregionale di Studi e Documentazione" and
founded that they seems to have locations in other country's as well.

and I have checked my server and it
seems like it is free from root-kits and other malware's.
"File does not exist" should be pretty obvious, and of course you should
know your scripts.

If the server was actually compromised, such suspicious entries would
have already been wiped.

Assuming even a halfway competent r00tkit - yes.

I use Rkhunter to check the system to see if there is any differences.

Your headers look like Fedora Core 5 that is being kept up to date.

I use Ubuntu 6.10 and on the server 6.06 LTS.
6.06 is a server install and it commited for 5 years of security supported updates.

This server version is quite simple, it only provide me with an patched kernel and apt-get,
giving me free hands to do what ever I want with it.
It is not 'easy-ubuntu' ;-).

There are two windoze-wannabe "anti-malware" tools available (chkrootkit and
rkhunter) as well as another not as easy to categorize (zeppoo). You need
to actually _read_ the scripts of the first two to see what they are
attempting to do. While extensive, both have a rather horrible coding
style, and are easily fooled. This means both false positives (declaring
something innocent to be a problem) AND false negatives (missing things
that are important). In my opinion, neither is worth the CPU cycles
or disk space they waste. If they do actually find a real root kit,
you have been the victim of inept skript kiddiez.


Mostly I do not fear Kiddiez, but they who now how to get there way around on a posix system, can really hide them self so god that it is almost impossible to find them.

Only thing I can do is to check md5 and my log-files and hoping for the best.

I actually replaced ubuntu 5.10 server with this 6.06 a couple of days ago,
making it quite simple to see if there was/is any differences on the server.

It find nothing

which, if you read the documentation clearly means nothing.

There are three types of mal-ware detectors. The first, like chkrootkit
and rkhunter, look for indications that have been seen in the past as
evidence of a rooted system or the root kit itself. For example, both of
those "tools" look for the "55808" worm - a port scanner trojan from
2003 - by looking for a file named /tmp/.../a or /tmp/.../r. If the
file had been renamed /tmp/.../A or /tmp/.../R (or indeed any other
name), neither tool would find it. Another variant of this test is to
look for ASCII strings in certain binaries. Again, if the r00tkit
author has changed anything, it won't be found.

A second type of detector is something that looks a what file are
present, and compares these to some record. Usually, this is a hash
made of the "known clean" snapshot of the file. Examples of this tool
are 'tripwire' and 'aide'. To use these tools, you need to run them
to _create_ the hashes before sneed to run them
to _create_ the hashes before someone has "gotten to" your system. This
normally means "when you installed your system". The huge advantage
these tools have is that they are looking at what WAS on your system,
rather than some generic. Also, these tools are not limited to the
distribution supplied, or common files - meaning they can monitor your
data and home directory files as easily as /sbin/init. The two most
common Linux package managers (rpm and the Debian tools) can monitor
most of the files that they have installed ('man rpm' and look at the
VERIFICATION section) but are otherwise limited.

I did looked at Tripwire but a don't now what to think of a program
that have not been updated for about 2 year.

Latest News
* 2.4.0.1 Released 2005-12-01

A third type of detector looks for indications of "hidden" processes,
such as the modified 'ps' command that won't show the rootkit that is
running.

'fuser -am' is a good start to se processes on the system,
and looking in the /proc can give you a hint to.

Both chkrootkit and rkhunter attempt to do this, as does the
rather new 'zeppoo'. The first two have had significant numbers of
false alarms. I don't have enough experience with 'zeppoo' to say one
way or the other, and Usenet reports are fairly limited.

I do not trust any detecting programs, but they are some sort of help
figuring if something has been done outside of my control.
If I would think that something i wrong I will flaten and rebiuld but
first I would had a closer look to see if I can figure out what has been
chanced and how it was done.

Malware detection really is more than running some script and hoping
for the best. Malware prevention is another matter.

I have system chrooted so it is difficult to any one not familiar to
the system to do anything on it.

I will say only that chroot(1) is not fool-proof. Few things are.
Know what your system is doing, and what it can do. See that it is
kept up to date. Apply such access controls as you see fit. Unless
someone can show a contract that each of you have signed granting
access, no one has any _right_ to access your system(s). They may
exercise the _privilege_ to access those parts of those systems
that you have designated, but that privilege is totally under your
control, and subject to ANY limitations you deem fit. If you wish to
block hosts whose IP address contains the digit "6", or block hosts
with names that contain the letter 'R' - it's your server, and your
rules apply.

Old guy

Chroot in it self is not enough have to lock down services as well.
The sever is only accepting incoming connections on a few ports, and
the router that stands in front of it is locked down as well to even a
less number of open ports, not allowing any ftp, ssh or dns calls from wan.

/Anders
.