LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-16-2003, 04:19 PM   #1
halifax
LQ Newbie
 
Registered: Jun 2003
Location: Sanford, NC
Posts: 8

Rep: Reputation: 0
Probed and Attacked - Battle Damage Assessment


Hello,

I was probed and then an attempted attack was initiated against my SuSE 8.1 box this afternoon. I'm running snort and this is what I saw first hand:

**************

[**] [111:1:1] (spp_stream4) STEALTH ACTIVITY (unknown) detection [**]
08/16-15:28:23.600313 0:20:78:CE:BE:12 -> 0:1:2:82:AA:FB type:0x800 len:0x70
64.12.30.188:5190 -> 172.16.1.100:1030 TCP TTL:99 TOS:0x0 ID:27851 IpLen:20 DgmLen:98 DF
***APR** Seq: 0xC6955D67 Ack: 0x56205B63 Win: 0x4000 TcpLen: 20

[**] [1:1841:2] WEB-CLIENT javascript URL host spoofing attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1]
08/16-15:51:52.093828 0:20:78:CE:BE:12 -> 0:1:2:399:E9 type:0x800 len:0x5E2
64.12.152.56:80 -> 172.16.1.101:32904 TCP TTL:43 TOS:0x0 ID:35742 IpLen:20 DgmLen:1492 DF
***AP*** Seq: 0x11BE722F Ack: 0x7BB36C1 Win: 0x6540 TcpLen: 20
[Xref => http://www.securityfocus.com/bid/5293]

************

I did a check on the suggested URL and discovered that I am running a browser that is not vulnerable to this type of attack. However, to prevent the attack from progressing and to determine what was happening to my server - I disco'd my DSL router from the internet and started to probe my logs. The only descrepancy I can find is in /var/log/messages which occured 3 minutes after the "javascript URL host spoofing attempt" started:

*************

Aug 16 15:53:43 name kernel: device eth0 left promiscuous mode
Aug 16 15:53:43 name kernel: eth0: Setting promiscuous mode.
Aug 16 15:53:43 name kernel: device eth0 entered promiscuous mode
Aug 16 15:53:43 name kernel: klogd 1.4.1, ---------- state change ----------
Aug 16 15:53:43 name kernel: Inspecting /boot/System.map-2.4.19-4GB
Aug 16 15:53:43 name kernel: Loaded 14329 symbols from /boot/System.map-2.4.19-4GB.
Aug 16 15:53:43 name kernel: Symbols match kernel version 2.4.19.
Aug 16 15:53:43 name kernel: Loaded 1038 symbols from 39 modules.

**************

I believe that eth0 left "promiscuous mode" due to the fact that I accidently shut snort down in my panic of observing an attack and my fury in opening an new xterm window.

What I am concerned about here is the "klogd 1.4.1, -- state change --" does anyone have any ideas why this may have occured at this time?

Thanks in advance for any assistance.

halifax STEALTH ACTIVITY (unknown) detection javascript URL host spoofing attempt
 
Old 08-16-2003, 04:26 PM   #2
2damncommon
Senior Member
 
Registered: Feb 2003
Location: Calif, USA
Distribution: PCLINUXOS
Posts: 2,917

Rep: Reputation: 103Reputation: 103
My snort log shows 20-30 attempts everyday.
Over 100 during the recent "hackers contest" weekend. One guy scanned every hour.
Apparently these people just continually scan the internet and if you have an open vulnerability they get you.
 
Old 08-17-2003, 08:06 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594Reputation: 3594
The "klogd state change" message only means it's reloading the files it's reading, usually due to a -HUP, for instance when rotating logs. The following lines support that cuz it's rereading the current kernels' System.map symbol nfo.

Btw, Snort ID 1841, the "WEB-CLIENT javascript URL host spoofing attempt" alert popped up recently, here: http://www.linuxquestions.org/questi...threadid=82083
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
monitor probed wrongly during fc3 installation vyom Fedora 5 03-03-2005 11:41 AM
Application Assessment for Linux Migration MSquared Linux - Software 1 02-02-2005 05:14 PM
5900XT, ViewSonic not probed MrJoshua Fedora - Installation 0 06-05-2004 11:29 AM
Emu10k1 can't be probed. Why? zaltar Linux - Newbie 3 11-09-2003 04:31 AM
RedHat 7.3 installation problem : monitor not probed bsambit Linux - Newbie 0 12-08-2002 10:31 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:49 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration