intruder alert in /var/log/messages

eRJe · 12-13-2010, 05:21 PM

Hi,

I have noticed some possible security issues in my /var/log.messages log but i'm not sure how to read the messages. I'm getting the following lines:

Code:

Dec 13 23:14:07 AIF:PRIV TCP packet: IN=eth1 SRC=41.205.116.116 DST=xx.xx.xx.xx  PROTO=TCP DPT=Telnet(23) SPT=4184 TTL=52 SYN
Dec 13 23:14:43 AIF:PRIV TCP packet: IN=eth1 SRC=46.41.76.166   DST=xx.xx.xx.xx  PROTO=TCP DPT=Telnet(23) SPT=3282 TTL=52 SYN
Dec 13 23:14:55 AIF:PRIV TCP packet: IN=eth1 SRC=200.121.207.59 DST=xx.xx.xx.xx  PROTO=TCP DPT=Telnet(23) SPT=4026 TTL=48 SYN

Dec 13 23:16:43 AIF:PRIV UDP packet: IN=eth1 SRC=xx.xx.xx.xx DST=xx.xx.xx.255  PROTO=UDP DPT=SMB Data(138) SPT=SMB Data(138) TTL=64

Dec 13 23:27:14 AIF:ICMP-request: IN=eth1 SRC=209.170.120.50 DST=xx.xx.xx.xx  PROTO=ICMP TYPE/CODE=Echo request(8,0) TTL=22 SEQ=0
Dec 13 23:27:35 AIF:ICMP-request: IN=eth1 SRC=66.114.48.31   DST=xx.xx.xx.xx  PROTO=ICMP TYPE/CODE=Echo request(8,0) TTL=1 SEQ=7
Dec 13 23:27:55 AIF:ICMP-request: IN=eth1 SRC=66.114.48.31   DST=xx.xx.xx.xx  PROTO=ICMP TYPE/CODE=Echo request(8,0) TTL=6 SEQ=12
Dec 13 23:28:15 AIF:ICMP-request: IN=eth1 SRC=66.114.50.67   DST=xx.xx.xx.xx  PROTO=ICMP TYPE/CODE=Echo request(8,0) TTL=1 SEQ=6
Dec 13 23:28:35 AIF:ICMP-request: IN=eth1 SRC=66.114.50.67   DST=xx.xx.xx.xx  PROTO=ICMP TYPE/CODE=Echo request(8,0) TTL=6 SEQ=11

Dec 13 23:49:17 AIF:UNPRIV TCP packet: IN=eth1 SRC=124.133.2.2 DST=xx.xx.xx.xx  PROTO=TCP DPT=4899 SPT=6000 TTL=106 SYN

As I said I'm not to sure what I'm seeing here but I think I'm being "probed" where it says PROTO=ICMP TYPE/CODE=Echo request(8,0)? Some of the IP's I traced end up in China.

I assume the line with PROTO=UDP DPT=SMB Data(138) SPT=SMB Data(138) is coming from samba and should not be an issue. However the destination IP is (slightly) different then the source IP (my server)ie SRC=xx.xx.214.167 and DST=xx.xx.215.255

What do these lines in my log mean and is there anything else I can check for security issues other then the log files in /var/log?

Thanks!
Robbert

win32sux · 12-13-2010, 05:28 PM

Those look like firewall log entries for filtered packets. If that's the case, it would seem that you were port scanned and pinged and your firewall did what was expected of it. This sort of thing is quite common on Internet-enabled hosts. You should check your firewall script's documentation to make sure the messages mean the packets were filtered.

Running Nmap against your host might also be a good idea, as it'll let you verify things are working properly.

eRJe · 12-14-2010, 07:08 AM

Hi Win32sux,

Thanks! I guess you are right. It is indeed log output from my firewall. I just did a ping from a different remote computer and PROTO=ICMP TYPE/CODE=Echo request(8,0) TTL=116 SEQ=1024 seems to be the response in the log file.

I actually think it could have been related to some spyware because after a few good cleanups, it appears that i'm getting a lot less entries in my logfile.

Thanks for the nmap hint. I will have a look at this.

Robbert