LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 04-22-2004, 04:41 PM   #1
blur
LQ Newbie
 
Registered: Nov 2003
Location: Portugal
Distribution: SuSE
Posts: 12

Rep: Reputation: 0
How to check if my machine has done a host/port sweep?


Hello

I have a Linux box (SuSE 8.2) working as a server to a local network, with several services running (DHCP, NIS, NFS, Postfix, etc.)
I've receveid an e-mail from an institutional organism alerting me that one of my machines has been compromised/infected and is scanning their networks or one of the users is scanning their networks. I have the exact time that this happened.
How can I see what happened? Which are the log files that should contain this information? What should I be looking for inside the logs?

Thanks very much in advance

Cheers
 
Old 04-22-2004, 06:16 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,769
Blog Entries: 54

Rep: Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976Reputation: 2976
I've receveid an e-mail from an institutional organism alerting me that one of my machines has been compromised/infected and is scanning their networks or one of the users is scanning their networks. I have the exact time that this happened.
Be warned some reports can be fully or partially automated, bad guesses or whatever else. Sure you gotta take this seriously, but don't overreact unless specific information is given. Posting log excerpts or whatever "evidence" they sent would be cool.


How can I see what happened?
If you have or configured it: outbound firewall rules. Else you gotta catch the culprit by monitoring the wire with tcpdump or Snort. Remember if you use a libpcap sniffer like tcpdump Snort can read that back later on.


Which are the log files that should contain this information?
Unfortunately that depends on what you got. Sure if you haven't got firewall outbound logging you could correllate login times to find users on the system, but if it was an automated scan or alike this doesn't mean a thing.
 
Old 04-23-2004, 07:16 AM   #3
blur
LQ Newbie
 
Registered: Nov 2003
Location: Portugal
Distribution: SuSE
Posts: 12

Original Poster
Rep: Reputation: 0
Thanks for your help.

Quote:
Originally posted by unSpawn

If you have or configured it: outbound firewall rules.
Sorry, but what do you mean by this? I have a simple firewall that all it does is IP masquerade and routing using iptables. You mean I should some how log everything that goes through the firewall?

Quote:
Else you gotta catch the culprit by monitoring the wire with tcpdump or Snort. Remember if you use a libpcap sniffer like tcpdump Snort can read that back later on.
I don't have none running on my system. This can be very helpfull for the future, but not for what happened in the past, correct?

Cheers
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Vmware5.0 under Kubuntu5.04 (host machine collapses) retiem Ubuntu 0 07-23-2005 05:32 PM
Machine Check Exception 0000000000000004 pbs Linux - Software 7 06-26-2005 01:33 PM
How to change host name Red hat 9.0 machine? Bagleemo Linux - Distributions 5 12-29-2004 08:57 AM
Linux Home Sound Studio: Sweep software vous Linux - Software 11 05-22-2003 09:59 PM
CPU#0:Machine Check Exception karamboul Linux - Software 1 03-29-2002 11:33 PM


All times are GMT -5. The time now is 06:42 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration