LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-27-2007, 09:20 PM   #1
keysorsoze
Member
 
Registered: Apr 2004
Location: Queens, NY
Distribution: Red Hat, Solaris
Posts: 295

Rep: Reputation: 30
Possibe Hack Attempts?


Hi! I am seeing the following errors when issuing a dmesg on my system. This is a public web server. Could this be signs of a hacker becoming successful at attempting to enter my system. What could we do to mitigate this attack. IPTABLES ban? Mod Security?

TCP: Treason uncloaked! Peer 196.47.81.126:61307/443 shrinks window 1396028922:1 396028923. Repaired.
TCP: Treason uncloaked! Peer 196.47.81.126:61312/443 shrinks window 1413067280:1 413067281. Repaired.
TCP: Treason uncloaked! Peer 196.47.81.126:61313/443 shrinks window 1420626703:1 420626704. Repaired.
TCP: Treason uncloaked! Peer 196.47.81.126:61314/443 shrinks window 1418292719:1 418292720. Repaired.
TCP: Treason uncloaked! Peer 196.47.81.126:61339/443 shrinks window 1496596192:1 496596193. Repaired.
TCP: Treason uncloaked! Peer 196.47.81.126:61339/443 shrinks window 1496596192:1 496596193. Repaired.
TCP: Treason uncloaked! Peer 196.47.81.126:61391/443 shrinks window 1709960587:1 709960588. Repaired.
TCP: Treason uncloaked! Peer 196.47.81.126:61391/443 shrinks window 1709960587:1 709960588. Repaired.
TCP: Treason uncloaked! Peer 196.47.81.126:61526/443 shrinks window 2008149136:2 008149137. Repaired.
ERROR: SCSI host `cciss' has no error handling
ERROR: This is not a safe way to run your SCSI host
ERROR: The error handling must be added to this driver

Call Trace:<ffffffffa000359f>{:scsi_mod:scsi_host_alloc+143} <ffffffffa002df17>{ :cciss:cciss_proc_write+372}
<ffffffff80178b8c>{filp_open+106} <ffffffff801ad238>{proc_file_write+37}
<ffffffff801796c0>{vfs_write+207} <ffffffff801797a8>{sys_write+69}
<ffffffff8011026a>{system_call+126}
scsi0 : cciss
Vendor: HP Model: C5683A Rev: P306
Type: Sequential-Access ANSI SCSI revision: 03
st: Version 20040403, fixed bufsize 32768, s/g segs 256
Attached scsi tape st0 at scsi0, channel 0, id 0, lun 0
st0: try direct i/o: yes (alignment 512 B), max page reachable by HBA 4503599627 370495
TCP: Treason uncloaked! Peer 213.181.91.242:63829/80 shrinks window 889952142:88 9953340. Repaired.


Thanks for the help
 
Old 07-27-2007, 09:33 PM   #2
Simon Bridge
LQ Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 198Reputation: 198
ERROR: SCSI host `cciss' has no error handling
ERROR: This is not a safe way to run your SCSI host
ERROR: The error handling must be added to this driver
... adding error handling to the driver may be a good step.

Any reason you cannot just drop packets from the following IPs?
196.47.81.126 (196.47.81.0/24 maybe)
213.181.91.242 (213.181.91.0/24 maybe)

Hmmm... for a good explanation:
http://www.linuxquestions.org/questi...d.php?t=127984

Last edited by Simon Bridge; 07-27-2007 at 09:35 PM.
 
Old 07-27-2007, 09:40 PM   #3
keysorsoze
Member
 
Registered: Apr 2004
Location: Queens, NY
Distribution: Red Hat, Solaris
Posts: 295

Original Poster
Rep: Reputation: 30
Yes, dropping the IP addresses is not a problem, I just wanted to confirm that this is indeed some malicious intent being performed. Thank you for the reply. I'll take some steps to use IP Tables to drop ban these addresses and resolve the scsi driver issue.
 
Old 07-28-2007, 03:49 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600Reputation: 3600
Could this be signs of a hacker becoming successful at attempting to enter my system.
No. It's just the kernel telling you (message of informational level) it discovered a change in window size and corrected it. You could have found the answer if you searched LQ.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Vserver and LVS: possibe? slurpyx23 Linux - Server 1 12-01-2006 09:07 PM
Intrusion Attempts keysorsoze Linux - Security 7 02-06-2006 01:13 PM
possibe DoS? mcd Linux - Security 3 04-26-2005 06:20 PM
Is it worth posting lame hack attempts? Tuttle Linux - Security 2 04-23-2005 08:09 AM
How many hack attempts should be expected? Inexactitude Linux - Security 14 01-11-2004 11:09 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:41 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration