PSAD reports continuous scans from my LAN ip
hello, i realized that PSAD is reporting a continuous streak of scan attempts, only they are not scans coming from the outside but scans originating from my lan IP (192.168.16.2) and directed to the outside, if i got that right, which makes me seriously think of being compromised.
one recurring ip address points to metasploit.com, which is pretty weird. can this be a false alert due to some legitimate program ? im confused.
below, one sample alert:
=-=-=-=-=-=-=-=-=-=-=-= Tue Jan 11 16:21:56 2011 =-=-=-=-=-=-=-=-=-=-=-=
Danger level: [2] (out of 5)
Scanned UDP ports: [28409: 1 packets, Nmap: -sU]
iptables chain: OUTPUT (prefix "DROPPED"), 1 packets
Source: 192.168.16.2
DNS: [No reverse dns info available]
OS guess: Linux:2.6:8:Linux 2.6.8 and newer (?)
Destination: 72.204.199.142
DNS: ip72-204-199-142.ph.ph.cox.net
Overall scan start: Tue Jan 11 16:07:13 2011
Total email alerts: 7
Complete UDP range: [28409]
Syslog hostname: [my-machine]
Global stats: chain: interface: TCP: UDP: ICMP:
OUTPUT eth0 0 1 0
[+] Whois Information:
Whois data not available!
Last edited by jagerhans; 01-11-2011 at 10:13 AM.
|