LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 03-14-2008, 10:44 AM   #1
pching
Member
 
Registered: Jan 2008
Location: Maryland US
Distribution: right now WindowsXP
Posts: 40

Rep: Reputation: 15
Alert from snort - Is hacker attacking me?


Dear people on the list,

Can you tell me if some hacker is trying to get into my system?
Please see some alert messages from snort in the following.

Also, I see many lines of "www.cynru.com/Documents/bogon-list.html"
in the alert message. What is that mean?

Honestly, I have a Linux system came with default snort running,
and I don't know much about snort. I need to learn.

Thanks a lot for your time.

Philip


=========== alert from my snort ===========================
[**] [1:2002749:2] BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 1 [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
03/12-16:02:49.541160 0.0.0.0:68 -> 255.255.255.255:67
UDP TTL:128 TOS:0x0 ID:18 IpLen:20 DgmLen:330
Len: 302
[Xref => http://www.cymru.com/Documents/bogon-list.html]

[**] [1:2002911:1] BLEEDING-EDGE SCAN Potential VNC Scan 5900-5920 [**]
[Classification: Attempted Information Leak] [Priority: 2]
03/12-16:04:10.413012 211.133.123.213:2855 -> 75.148.5.232:5900
TCP TTL:21 TOS:0x20 ID:43110 IpLen:20 DgmLen:64 DF
******S* Seq: 0x6EF67D47 Ack: 0x0 Win: 0xD200 TcpLen: 44
TCP Options (9) => MSS: 1414 NOP WS: 3 NOP NOP TS: 0 0 NOP NOP
TCP Options => SackOK

[**] [1:2002911:1] BLEEDING-EDGE SCAN Potential VNC Scan 5900-5920 [**]
[Classification: Attempted Information Leak] [Priority: 2]
03/12-17:53:29.870465 74.14.172.209:2354 -> 75.148.5.232:5900
TCP TTL:30 TOS:0x20 ID:15086 IpLen:20 DgmLen:64 DF
******S* Seq: 0xC94AE0D1 Ack: 0x0 Win: 0xD200 TcpLen: 44
TCP Options (9) => MSS: 1440 NOP WS: 3 NOP NOP TS: 0 0 NOP NOP
TCP Options => SackOK

[**] [1:2002749:2] BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 1 [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
03/12-19:10:52.219369 0.0.0.0:68 -> 255.255.255.255:67
UDP TTL:128 TOS:0x0 ID:0 IpLen:20 DgmLen:348
Len: 320
[Xref => http://www.cymru.com/Documents/bogon-list.html]

[**] [1:2002749:2] BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 1 [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
03/12-20:50:10.430761 0.0.0.0:68 -> 255.255.255.255:67
UDP TTL:128 TOS:0x0 ID:0 IpLen:20 DgmLen:348
Len: 320
[Xref => http://www.cymru.com/Documents/bogon-list.html]

[**] [1:2001689:5] BLEEDING-EDGE WORM Potential MySQL bot scanning for SQL server [**]
[Classification: A Network Trojan was detected] [Priority: 1]
03/13-01:24:43.872832 218.56.180.251:46961 -> 75.148.5.239:3306
TCP TTL:93 TOS:0x20 ID:256 IpLen:20 DgmLen:40
******S* Seq: 0xBE7728D2 Ack: 0x0 Win: 0x4000 TcpLen: 20
[Xref => http://isc.sans.org/diary.php?date=2005-01-27]

[**] [1:2002749:2] BLEEDING-EDGE POLICY Reserved IP Space Traffic - Bogon Nets 1 [**]
[Classification: Potentially Bad Traffic] [Priority: 2]
03/13-08:28:26.165653 0.0.0.0:68 -> 255.255.255.255:67
UDP TTL:128 TOS:0x0 ID:0 IpLen:20 DgmLen:348
Len: 320
[Xref => http://www.cymru.com/Documents/bogon-list.html]
 
Old 03-14-2008, 10:48 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
that link is a reference to this kind of alert, have you read the link? it's explaining exactly what the issue is... it actually looks like an innocent DHCP request though. are you listening on the internal network aswell as the external side? is there only one side?

Last edited by acid_kewpie; 03-14-2008 at 11:20 AM.
 
Old 03-17-2008, 10:44 AM   #3
pching
Member
 
Registered: Jan 2008
Location: Maryland US
Distribution: right now WindowsXP
Posts: 40

Original Poster
Rep: Reputation: 15
Thread: Alert from snort - Is hacker attacking me?

Hi acid_kewpie (Chris?):

Thanks for your response to my question.

Yes. I visited www.cymru.com and get some idea of what a "bogon" is.

My box is connecting to a COMCAST router. So it should not be listening to my internal private network. But I did originally setup the box using the private IP address (192.168.xxx.yyy).

If someone is attacking my box then I need to do something about it.

Thanks for your help.

Philip
 
Old 03-17-2008, 11:09 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,415

Rep: Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968Reputation: 1968
as above, it just looks like a DHCP request.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Snort alert Problem bharathvn Linux - Security 9 11-21-2005 09:24 AM
snort alert and logging wilcsnyder Linux - Security 1 08-16-2004 08:08 PM
Snort alert / Am i attacking ? exalik Linux - Security 6 10-22-2003 04:55 PM
Snort: Unusual Alert Destination robeb Linux - Networking 0 02-28-2003 09:29 PM
Snort Alert - What should I do? tarballedtux Linux - Security 1 04-06-2002 06:26 AM


All times are GMT -5. The time now is 10:58 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration