LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 12-13-2012, 10:13 AM   #16
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604

It took me a while to notice there's no HTTP method involved, so these aren't valid HTTP requests (=clients?) to begin with.
Quote:
Originally Posted by mitusf View Post
just in case someone wants to make an ideea
Do you plan to enable iptables logging and capture packets as well?
 
Old 12-13-2012, 11:04 AM   #17
mitusf
Member
 
Registered: Nov 2011
Location: Bucharest, Romania
Distribution: Slackware
Posts: 141

Original Poster
Rep: Reputation: 2
Yes, but first I must see how to do it (the firewall logging), I have not any ideea so far, and with Wireshark, I suppose I must let the computer working for days, until I "receive" the custom salute from the outsiders.

Ah, ok, it's the LOG target, but where it is the info logged?

I think that without being set up (iptables log in syslogd and logrotate) it is logged by dmesg but within it's limits, I think. So, I must learn how to set up loging of iptables in syslogd and then logrotate. Maybe I am wrong but this is what I think.

BRW, is it appropriate or enough to see the current connections to my computer with "netstat -aut", or I need more options here?

Last edited by unSpawn; 12-13-2012 at 11:24 AM. Reason: //Merge, NN
 
Old 12-13-2012, 11:23 AM   #18
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604
'man iptables':

Code:
LOG
   Turn on kernel logging of matching packets. When this option is set for a rule, the Linux kernel
 will print some information on all matching packets (like most IP header fields) via the kernel 
log (where it can be read with dmesg or syslogd(8)). This is a "non-terminating target", i.e. rule
 traversal continues at the next rule. So if you want to LOG the packets you refuse, use two sepa-
rate rules with the same matching criteria, first using target LOG then DROP (or REJECT).

Quote:
Originally Posted by mitusf View Post
Maybe I am wrong but this is what I think.
After thinking and before posting it would be good to consult your documentation. What you wrote about only concerns you if you don't run syslogd and don't run a logrotate cron job.


Quote:
Originally Posted by mitusf View Post
is it appropriate or enough to see the current connections to my computer with "netstat -aut", or I need more options here?
Fastest way to display nfo with (networking) tool is to avoid any resolving. Often (ls, lsof, netstat, iptables, tcpdump, etc, etc) applications have "-n" switch for that. BTW, why would we need to see 'netstat' output?

Last edited by unSpawn; 12-13-2012 at 11:31 AM. Reason: //More *is* more
 
1 members found this post helpful.
Old 12-13-2012, 11:49 AM   #19
mitusf
Member
 
Registered: Nov 2011
Location: Bucharest, Romania
Distribution: Slackware
Posts: 141

Original Poster
Rep: Reputation: 2
I was thinking about the possibility that someone intruded and with netstat I can see it's connection... not started by me, of course... make an ideea of what he is doing.

You're right about reading the documentation first. Sorry about that hurry.

Last edited by mitusf; 12-13-2012 at 12:07 PM.
 
Old 12-13-2012, 12:15 PM   #20
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604
Quote:
Originally Posted by mitusf View Post
I was thinking about the possibility that someone intruded and with netstat I can see it's connection... not started by me, of course... make an ideea of what he is doing.
Do you have a gut feeling, suspicion or clue your machine may be compromised?
 
Old 12-13-2012, 12:20 PM   #21
mitusf
Member
 
Registered: Nov 2011
Location: Bucharest, Romania
Distribution: Slackware
Posts: 141

Original Poster
Rep: Reputation: 2
Sincerely, I hope and I don't really believe that was compromised, but I think these were only tries to break in. This is my feeling, after a behavior analyze of the "attacks" in the server log, without knowing the server's internals.
 
Old 12-13-2012, 01:22 PM   #22
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604
Then lets stick with logging web server requests, firewall connections and capturing packets with
Code:
tcpdump -n -nn -s 0 -i eth[devicenumber] -w /path/to/dump.pcap 'tcp-syn != 0 and dst port 80'
' for now?
 
1 members found this post helpful.
Old 12-13-2012, 01:27 PM   #23
mitusf
Member
 
Registered: Nov 2011
Location: Bucharest, Romania
Distribution: Slackware
Posts: 141

Original Poster
Rep: Reputation: 2
Here is another fresh log record:

Quote:
46.38.41.11 - - [13/Dec/2012:20:59:16 +0200] "GET http://www.yahoo.com/ HTTP/1.1" 200 44
Do you know what happend? I have read that code 200 means that something was delivered, but what? I don't get it.

Your command seems a litle too complicated for me right now. Maybe later I would be able to decode it.

Update: the IP is from Rusia

Last edited by mitusf; 12-13-2012 at 01:29 PM.
 
Old 12-14-2012, 05:36 PM   #24
mitusf
Member
 
Registered: Nov 2011
Location: Bucharest, Romania
Distribution: Slackware
Posts: 141

Original Poster
Rep: Reputation: 2
unSpawn, thank you for your answer, it was really interesting, though I need more studying about the syntax call of tcpdump. Also, what means the -nn flag, I didn't find it in the man page, maybe I should try with info?
 
Old 12-14-2012, 09:00 PM   #25
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,534
Blog Entries: 51

Rep: Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604Reputation: 2604
-nn Don't convert protocol and port numbers etc. to names either.
Come to think of it just
tcpdump -s 0 -i eth[devicenumber] -w /path/to/dump.pcap 'tcp-syn != 0 and dst port 80'
should do because you're logging to file.

Last edited by unSpawn; 12-14-2012 at 09:02 PM.
 
1 members found this post helpful.
Old 12-15-2012, 04:30 AM   #26
mitusf
Member
 
Registered: Nov 2011
Location: Bucharest, Romania
Distribution: Slackware
Posts: 141

Original Poster
Rep: Reputation: 2
Quote:
Originally Posted by OlRoy View Post
Seeing logs that contain hex and some printable ascii characters, makes me think binary data, and possibly shellcode.

213.215.89.201 - - [03/Dec/2012:21:28:50 +0200] "\xeb\xe1,\xdf\x89\xd4E\xb4\xea" 501 207


Code:
$ rasm2 -d 'eb e1 2c df 89 d4 45 b4 ea'
jmp 0x8047fe3
sub al, 0xdf
mov esp, edx
inc ebp
mov ah, 0xea
I'm definitely not familiar enough with Linux shellcode to say whether that is part of valid shellcode, but the above are all very common instructions. As unSpawn was saying, it's hard to say much without more context...
Thank you very much OlRoy, your response opened to me a totally new and interesting perspective. Thanks!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Script - Find time between entries in log file blsimpson Linux - Newbie 16 07-24-2012 06:03 PM
Parsing The Entries of a BIND log Query file Balvinder87 Linux - Security 2 07-12-2012 08:03 AM
Centos 6 Log file entries therockatmsu Linux - Server 2 07-03-2012 08:51 AM
httpd access log entries hywaydave Linux - Security 3 02-11-2005 03:39 PM
Weird entries in log file KennyK Linux - Security 4 10-17-2003 08:28 PM


All times are GMT -5. The time now is 01:31 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration