Hello,

I was probed and then an attempted attack was initiated against my SuSE 8.1 box this afternoon. I'm running snort and this is what I saw first hand:

**************

[**] [111:1:1] (spp_stream4) STEALTH ACTIVITY (unknown) detection [**]
08/16-15:28:23.600313 0:20:78:CE:BE:12 -> 0:1:2:82:AA:FB type:0x800 len:0x70
64.12.30.188:5190 -> 172.16.1.100:1030 TCP TTL:99 TOS:0x0 ID:27851 IpLen:20 DgmLen:98 DF
***APR** Seq: 0xC6955D67 Ack: 0x56205B63 Win: 0x4000 TcpLen: 20

[**] [1:1841:2] WEB-CLIENT javascript URL host spoofing attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1]
08/16-15:51:52.093828 0:20:78:CE:BE:12 -> 0:1:2:399:E9 type:0x800 len:0x5E2
64.12.152.56:80 -> 172.16.1.101:32904 TCP TTL:43 TOS:0x0 ID:35742 IpLen:20 DgmLen:1492 DF
***AP*** Seq: 0x11BE722F Ack: 0x7BB36C1 Win: 0x6540 TcpLen: 20
[Xref => http://www.securityfocus.com/bid/5293]

************

I did a check on the suggested URL and discovered that I am running a browser that is not vulnerable to this type of attack. However, to prevent the attack from progressing and to determine what was happening to my server - I disco'd my DSL router from the internet and started to probe my logs. The only descrepancy I can find is in /var/log/messages which occured 3 minutes after the "javascript URL host spoofing attempt" started:

*************

Aug 16 15:53:43 name kernel: device eth0 left promiscuous mode
Aug 16 15:53:43 name kernel: eth0: Setting promiscuous mode.
Aug 16 15:53:43 name kernel: device eth0 entered promiscuous mode
Aug 16 15:53:43 name kernel: klogd 1.4.1, ---------- state change ----------
Aug 16 15:53:43 name kernel: Inspecting /boot/System.map-2.4.19-4GB
Aug 16 15:53:43 name kernel: Loaded 14329 symbols from /boot/System.map-2.4.19-4GB.
Aug 16 15:53:43 name kernel: Symbols match kernel version 2.4.19.
Aug 16 15:53:43 name kernel: Loaded 1038 symbols from 39 modules.

**************

I believe that eth0 left "promiscuous mode" due to the fact that I accidently shut snort down in my panic of observing an attack and my fury in opening an new xterm window.

What I am concerned about here is the "klogd 1.4.1, -- state change --" does anyone have any ideas why this may have occured at this time?

Thanks in advance for any assistance.

halifax STEALTH ACTIVITY (unknown) detection javascript URL host spoofing attempt

My snort log shows 20-30 attempts everyday.
Over 100 during the recent "hackers contest" weekend. One guy scanned every hour.
Apparently these people just continually scan the internet and if you have an open vulnerability they get you.

The "klogd state change" message only means it's reloading the files it's reading, usually due to a -HUP, for instance when rotating logs. The following lines support that cuz it's rereading the current kernels' System.map symbol nfo.

Btw, Snort ID 1841, the "WEB-CLIENT javascript URL host spoofing attempt" alert popped up recently, here: http://www.linuxquestions.org/questi...threadid=82083