LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   What's this?. Security violation (http://www.linuxquestions.org/questions/linux-security-4/whats-this-security-violation-496150/)

carlatf 10-27-2006 02:23 PM

What's this?. Security violation
 
Hi,
I get this msg from the server log:

I'm not quite sure what this means.
I have my server running apache (80), postfix, dovecot and webmin (on a non standard port), ssh (not on the usual port)

All this people are trying to access and are being rejected?
Is this good?.

Many thanks.

################### LogWatch 5.2.2 (06/23/04) ####################
Processing Initiated: Fri Oct 27 04:06:21 2006
Date Range Processed: yesterday
Detail Level of Output: 0

--------------------- Kernel Begin ------------------------


Dropped 1231 packets on interface eth0
From 1.177.26.213 - 5 packets to udp(1025,1025,1025,1025,1025)
From 4.190.230.173 - 1 packet to udp(1025)
From 8.104.194.107 - 5 packets to udp(1025,1025,1026,1026,1025)
From 8.252.248.152 - 5 packets to udp(1026,1026,1026,1026,1026)
From 10.44.194.214 - 5 packets to udp(1025,1026,1025,1026,1025)
From 12.74.118.106 - 5 packets to udp(1025,1025,1026,1025,1026)
From 21.196.31.235 - 5 packets to udp(1025,1026,1026,1025,1026)
From 29.7.216.242 - 5 packets to udp(1026,1026,1026,1026,1026)
From 29.114.43.245 - 5 packets to udp(1026,1026,1026,1026,1026)
From 29.143.21.195 - 5 packets to udp(1025,1026,1025,1026,1026)
From 32.3.199.216 - 5 packets to udp(1025,1025,1026,1025,1026)
From 37.209.117.90 - 2 packets to udp(1025,1026)
From 38.218.137.116 - 5 packets to udp(1026,1026,1026,1026,1026)
From 40.119.248.47 - 4 packets to udp(1026,1026,1026,1026)
From 43.97.19.214 - 5 packets to udp(1026,1026,1026,1026,1026)
From 57.61.61.63 - 5 packets to udp(1026,1028,1031,1026,1027)
From 59.117.180.35 - 12 packets to tcp(8080,8080,8080,8080,8080)
From 60.44.125.153 - 7 packets to tcp(5554,9898,5554,9898,5554,5554,5554)
From 60.172.138.126 - 3 packets to tcp(1025)
From 61.6.220.161 - 5 packets to tcp(5900,5900,5900,5900,5900)
From 61.57.132.230 - 5 packets to tcp(21,21,21,21,21)
From 61.109.12.3 - 7 packets to tcp(6129,6129,6129,6129,6129)
From 61.195.146.124 - 7 packets to tcp(22,22,22,22,22)
From 61.233.40.205 - 5 packets to udp(1030,1030,1031,1032,4297)
From 61.235.154.108 - 13 packets to 11 udp ports
From 61.240.50.167 - 5 packets to udp(1026,1026,1026,1026,1026)
From 62.160.169.5 - 1 packet to udp(49153)
From 63.15.153.96 - 5 packets to udp(1025,1026,1025,1026,1025)
From 63.246.15.18 - 4 packets to udp(33439)
From 64.94.45.18 - 4 packets to udp(33438)
From 64.94.45.26 - 4 packets to udp(33440)
From 64.157.70.188 - 1 packet to udp(1026)
From 65.104.213.150 - 5 packets to udp(1026,1026,1026,1026,1026)
From 65.214.154.16 - 2 packets to tcp(3722)
From 66.46.205.242 - 5 packets to udp(1025,1025,1025,1025,1025)
From 66.100.176.75 - 2 packets to udp(1025,1026)
From 66.119.65.2 - 10 packets to udp(33435)
From 66.119.65.22 - 55 packets to udp(33436,33437)
From 66.129.65.52 - 4 packets to udp(33437)
From 66.150.8.14 - 4 packets to udp(33438)
From 66.151.55.13 - 4 packets to udp(33436)
From 67.15.205.36 - 7 packets to tcp(21,21,21,21,21)
From 67.180.124.193 - 7 packets to tcp(5900,5900,5900,5900,5900)
From 69.25.7.10 - 12 packets to udp(33436)
From 69.25.7.14 - 5 packets to udp(33437)
From 69.25.7.26 - 10 packets to udp(33440)
From 69.25.7.30 - 8 packets to udp(33441)
From 69.38.102.194 - 7 packets to tcp(21,21,21,21)
From 69.47.181.10 - 3 packets to tcp(5900,5900,5900)
From 80.118.177.3 - 1 packet to udp(37852)
From 81.255.44.14 - 1 packet to udp(49153)
From 84.82.242.140 - 5 packets to udp(1025,1026,1025,1026,1026)
From 85.40.194.223 - 5 packets to udp(1026,1026,1026,1026,1026)
From 85.62.69.21 - 1 packet to udp(49153)
From 85.187.166.157 - 11 packets to tcp(4899,4899,4899,4899,4899)
From 87.215.67.224 - 5 packets to udp(1026,1026,1026,1026,1026)
From 89.73.82.52 - 5 packets to udp(1026,1026,1026,1026,1026)
From 90.28.170.68 - 5 packets to udp(1026,1026,1026,1026,1026)
From 100.121.188.102 - 5 packets to udp(1025,1025,1026,1025,1025)
From 102.61.188.209 - 5 packets to udp(1025,1025,1026,1025,1025)
From 111.183.101.83 - 5 packets to udp(1025,1025,1026,1025,1026)
From 117.242.240.232 - 5 packets to udp(1026,1026,1026,1026,1026)
From 120.50.14.84 - 5 packets to udp(1025,1026,1026,1025,1026)
From 133.23.154.234 - 5 packets to udp(1026,1026,1026,1026,1026)
From 147.166.107.88 - 5 packets to udp(1025,1026,1026,1025,1026)
From 156.33.148.217 - 5 packets to udp(1025,1026,1026,1025,1025)
From 159.237.4.2 - 2 packets to udp(49153,49153)
From 164.77.194.98 - 1 packet to udp(37852)
From 165.155.61.91 - 5 packets to udp(1025,1025,1026,1025,1026)
From 172.190.168.193 - 6 packets to udp(54537)tcp(54537)
From 174.150.229.220 - 5 packets to udp(1025,1026,1025,1026,1025)
From 194.7.176.162 - 1 packet to udp(49153)
From 196.12.43.152 - 7 packets to tcp(22,22,22,22,22)
From 200.55.79.2 - 112 packets to tcp(465,995)
From 200.137.66.225 - 5 packets to udp(1025,1026,1025,1026,1025)
From 201.252.14.38 - 2 packets to udp(80)
From 201.253.236.236 - 1 packet to udp(80)
From 202.103.86.66 - 5 packets to udp(1030,1031,4081,1031,4081)
From 202.149.194.162 - 12 packets to tcp(4899,4899,4899,4899,4899)
From 203.131.172.230 - 5 packets to tcp(4899,4899,4899,4899,4899)
From 203.150.224.219 - 7 packets to tcp(2100,2100,2100,2100,2100)
From 203.200.35.232 - 1 packet to udp(49153)
From 204.13.163.169 - 8 packets to udp(33436)
From 205.158.37.66 - 5 packets to udp(1025,1026,1025,1025,1025)
From 206.253.195.10 - 16 packets to udp(33436)
From 206.253.195.14 - 84 packets to udp(33437)
From 206.253.195.22 - 4 packets to udp(33439)
From 206.253.195.26 - 116 packets to udp(33440)
From 208.193.213.137 - 1 packet to udp(1025)
From 209.4.234.99 - 5 packets to udp(1026,1026,1026,1026,1026)
From 209.76.191.15 - 7 packets to tcp(5900,5900,5900,5900,5900)
From 209.126.128.88 - 5 packets to tcp(22,22,22,22,22)
From 210.186.89.232 - 1 packet to udp(80)
From 211.129.253.134 - 7 packets to tcp(5554,9898,5554,5554,5554,5554,9898)
From 211.205.9.47 - 2 packets to udp(1025,1026)
From 212.8.110.238 - 1 packet to udp(49153)
From 214.103.159.224 - 5 packets to udp(1025,1026,1025,1026,1025)
From 216.76.235.75 - 3 packets to tcp(1025)
From 216.180.218.33 - 2 packets to tcp(5900)
From 216.183.102.100 - 4 packets to udp(33437)
From 216.239.113.9 - 213 packets to udp(33435,33438,33442)
From 216.239.127.101 - 76 packets to udp(33435,33437,33438,33440)
From 217.24.122.149 - 5 packets to tcp(4899,4899,4899,4899,4899)
From 217.110.79.32 - 5 packets to tcp(4899,4899,4899,4899,4899)
From 218.134.192.86 - 5 packets to udp(1025,1025,1026,1025,1026)
From 218.254.20.228 - 5 packets to udp(1026,1026,1026,1026,1026)
From 220.127.253.245 - 7 packets to tcp(5554,5554,9898,5554,5554,5554,9898)
From 221.12.161.99 - 33 packets to 25 udp ports
From 221.165.127.252 - 7 packets to tcp(5554,9898,5554,9898,5554,5554,5554)
From 221.220.95.137 - 8 packets to tcp(4899,4899,4899,4899,4899)
From 222.79.28.188 - 25 packets to tcp(1080,7212,8000,8080,8888,32167,1080,32167,1080,32167)

Logged 24 packets on interface eth0
From 61.195.146.124 - 10 packets to tcp(22,22,22,22,22)
From 196.12.43.152 - 9 packets to tcp(22,22,22,22,22)
From 209.126.128.88 - 5 packets to tcp(22,22,22,22,22)

Capt_Caveman 10-27-2006 02:40 PM

Those all look like dropped packets (the logged entries also are in the dropped list) with the bulk being windows worm/vx scans. So I'd say that looks good. But don't be fooled into thinking that runnning applications on non-standard ports makes them secure. It just makes them slightly harder to find. You still need to monitor their individual logs and use good security practices.

jayjwa 10-28-2006 07:36 AM

This type stuff:

From 218.134.192.86 - 5 packets to udp(1025,1025,1026,1025,1026)
From 218.254.20.228 - 5 packets to udp(1026,1026,1026,1026,1026)

is most likely Windows NetSend Messenger spam (try sniffing the traffic sometime if you're really bored).

Port 5900 is VNC, there were a few bugs with RealVNC in the past, several public exploits out for those, I've been seeing this too as well.

From 221.165.127.252 - 7 packets to tcp(5554,9898,5554,9898,5554,5554,5554)

Is the w32 Dabber virus, it repeatedly fires off exploits to port 5554 (old Sasser ftpd), and immediately checks 9898 to see if it was successful, over and over and over and ...

4899 I think is Radmin

carlatf 11-01-2006 09:11 PM

many thanks guys.
As I saw "security violation" in the msg I got worried.
I know that change the ports only makes it harder to find nothing else.
I'm about to install an IDS system.

Best regards,
Carla


All times are GMT -5. The time now is 07:43 AM.