LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Alert from snort - Is hacker attacking me? (http://www.linuxquestions.org/questions/linux-security-4/alert-from-snort-is-hacker-attacking-me-628032/)

pching 03-14-2008 09:44 AM

Alert from snort - Is hacker attacking me?
 
Dear people on the list,

Can you tell me if some hacker is trying to get into my system?
Please see some alert messages from snort in the following.

Also, I see many lines of "www.cynru.com/Documents/bogon-list.html"
in the alert message. What is that mean?

Honestly, I have a Linux system came with default snort running,
and I don't know much about snort. I need to learn.

Thanks a lot for your time.

Philip


=========== alert from my snort ===========================
[**] [1:2002749:2] BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 1 [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
03/12-16:02:49.541160 0.0.0.0:68 -> 255.255.255.255:67
UDP TTL:128 TOS:0x0 ID:18 IpLen:20 DgmLen:330
Len: 302
[Xref => http://www.cymru.com/Documents/bogon-list.html]

[**] [1:2002911:1] BLEEDING-EDGE SCAN Potential VNC Scan 5900-5920 [**]
[Classification: Attempted Information Leak] [Priority: 2]
03/12-16:04:10.413012 211.133.123.213:2855 -> 75.148.5.232:5900
TCP TTL:21 TOS:0x20 ID:43110 IpLen:20 DgmLen:64 DF
******S* Seq: 0x6EF67D47 Ack: 0x0 Win: 0xD200 TcpLen: 44
TCP Options (9) => MSS: 1414 NOP WS: 3 NOP NOP TS: 0 0 NOP NOP
TCP Options => SackOK

[**] [1:2002911:1] BLEEDING-EDGE SCAN Potential VNC Scan 5900-5920 [**]
[Classification: Attempted Information Leak] [Priority: 2]
03/12-17:53:29.870465 74.14.172.209:2354 -> 75.148.5.232:5900
TCP TTL:30 TOS:0x20 ID:15086 IpLen:20 DgmLen:64 DF
******S* Seq: 0xC94AE0D1 Ack: 0x0 Win: 0xD200 TcpLen: 44
TCP Options (9) => MSS: 1440 NOP WS: 3 NOP NOP TS: 0 0 NOP NOP
TCP Options => SackOK

[**] [1:2002749:2] BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 1 [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
03/12-19:10:52.219369 0.0.0.0:68 -> 255.255.255.255:67
UDP TTL:128 TOS:0x0 ID:0 IpLen:20 DgmLen:348
Len: 320
[Xref => http://www.cymru.com/Documents/bogon-list.html]

[**] [1:2002749:2] BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 1 [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
03/12-20:50:10.430761 0.0.0.0:68 -> 255.255.255.255:67
UDP TTL:128 TOS:0x0 ID:0 IpLen:20 DgmLen:348
Len: 320
[Xref => http://www.cymru.com/Documents/bogon-list.html]

[**] [1:2001689:5] BLEEDING-EDGE WORM Potential MySQL bot scanning for SQL server [**]
[Classification: A Network Trojan was detected] [Priority: 1]
03/13-01:24:43.872832 218.56.180.251:46961 -> 75.148.5.239:3306
TCP TTL:93 TOS:0x20 ID:256 IpLen:20 DgmLen:40
******S* Seq: 0xBE7728D2 Ack: 0x0 Win: 0x4000 TcpLen: 20
[Xref => http://isc.sans.org/diary.php?date=2005-01-27]

[**] [1:2002749:2] BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 1 [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
03/13-08:28:26.165653 0.0.0.0:68 -> 255.255.255.255:67
UDP TTL:128 TOS:0x0 ID:0 IpLen:20 DgmLen:348
Len: 320
[Xref => http://www.cymru.com/Documents/bogon-list.html]

acid_kewpie 03-14-2008 09:48 AM

that link is a reference to this kind of alert, have you read the link? it's explaining exactly what the issue is... it actually looks like an innocent DHCP request though. are you listening on the internal network aswell as the external side? is there only one side?

pching 03-17-2008 09:44 AM

Thread: Alert from snort - Is hacker attacking me?
 
Hi acid_kewpie (Chris?):

Thanks for your response to my question.

Yes. I visited www.cymru.com and get some idea of what a "bogon" is.

My box is connecting to a COMCAST router. So it should not be listening to my internal private network. But I did originally setup the box using the private IP address (192.168.xxx.yyy).

If someone is attacking my box then I need to do something about it.

Thanks for your help.

Philip

acid_kewpie 03-17-2008 10:09 AM

as above, it just looks like a DHCP request.


All times are GMT -5. The time now is 01:55 PM.