LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   intruder alert in /var/log/messages (https://www.linuxquestions.org/questions/linux-security-4/intruder-alert-in-var-log-messages-850010/)

eRJe 12-13-2010 05:21 PM
intruder alert in /var/log/messages
 
Hi,

I have noticed some possible security issues in my /var/log.messages log but i'm not sure how to read the messages. I'm getting the following lines:

Code:
Dec 13 23:14:07 AIF:PRIV TCP packet: IN=eth1 SRC=41.205.116.116 DST=xx.xx.xx.xx  PROTO=TCP DPT=Telnet(23) SPT=4184 TTL=52 SYN
Dec 13 23:14:43 AIF:PRIV TCP packet: IN=eth1 SRC=46.41.76.166  DST=xx.xx.xx.xx  PROTO=TCP DPT=Telnet(23) SPT=3282 TTL=52 SYN
Dec 13 23:14:55 AIF:PRIV TCP packet: IN=eth1 SRC=200.121.207.59 DST=xx.xx.xx.xx  PROTO=TCP DPT=Telnet(23) SPT=4026 TTL=48 SYN

Dec 13 23:16:43 AIF:PRIV UDP packet: IN=eth1 SRC=xx.xx.xx.xx DST=xx.xx.xx.255  PROTO=UDP DPT=SMB Data(138) SPT=SMB Data(138) TTL=64

Dec 13 23:27:14 AIF:ICMP-request: IN=eth1 SRC=209.170.120.50 DST=xx.xx.xx.xx  PROTO=ICMP TYPE/CODE=Echo request(8,0) TTL=22 SEQ=0
Dec 13 23:27:35 AIF:ICMP-request: IN=eth1 SRC=66.114.48.31  DST=xx.xx.xx.xx  PROTO=ICMP TYPE/CODE=Echo request(8,0) TTL=1 SEQ=7
Dec 13 23:27:55 AIF:ICMP-request: IN=eth1 SRC=66.114.48.31  DST=xx.xx.xx.xx  PROTO=ICMP TYPE/CODE=Echo request(8,0) TTL=6 SEQ=12
Dec 13 23:28:15 AIF:ICMP-request: IN=eth1 SRC=66.114.50.67  DST=xx.xx.xx.xx  PROTO=ICMP TYPE/CODE=Echo request(8,0) TTL=1 SEQ=6
Dec 13 23:28:35 AIF:ICMP-request: IN=eth1 SRC=66.114.50.67  DST=xx.xx.xx.xx  PROTO=ICMP TYPE/CODE=Echo request(8,0) TTL=6 SEQ=11

Dec 13 23:49:17 AIF:UNPRIV TCP packet: IN=eth1 SRC=124.133.2.2 DST=xx.xx.xx.xx  PROTO=TCP DPT=4899 SPT=6000 TTL=106 SYN
As I said I'm not to sure what I'm seeing here but I think I'm being "probed" where it says PROTO=ICMP TYPE/CODE=Echo request(8,0)? Some of the IP's I traced end up in China.

I assume the line with PROTO=UDP DPT=SMB Data(138) SPT=SMB Data(138) is coming from samba and should not be an issue. However the destination IP is (slightly) different then the source IP (my server)ie SRC=xx.xx.214.167 and DST=xx.xx.215.255

What do these lines in my log mean and is there anything else I can check for security issues other then the log files in /var/log?

Thanks!
Robbert

win32sux 12-13-2010 05:28 PM
Those look like firewall log entries for filtered packets. If that's the case, it would seem that you were port scanned and pinged and your firewall did what was expected of it. This sort of thing is quite common on Internet-enabled hosts. You should check your firewall script's documentation to make sure the messages mean the packets were filtered.

Running Nmap against your host might also be a good idea, as it'll let you verify things are working properly.

eRJe 12-14-2010 07:08 AM
Hi Win32sux,

Thanks! I guess you are right. It is indeed log output from my firewall. I just did a ping from a different remote computer and PROTO=ICMP TYPE/CODE=Echo request(8,0) TTL=116 SEQ=1024 seems to be the response in the log file.

I actually think it could have been related to some spyware because after a few good cleanups, it appears that i'm getting a lot less entries in my logfile.

Thanks for the nmap hint. I will have a look at this.

Robbert


All times are GMT -5. The time now is 12:34 AM.