Hello,
I was probed and then an attempted attack was initiated against my SuSE 8.1 box this afternoon. I'm running snort and this is what I saw first hand:
**************
[**] [111:1:1] (spp_stream4) STEALTH ACTIVITY (unknown) detection [**]
08/16-15:28:23.600313 0:20:78:CE:BE:12 -> 0:1:2:82:AA:FB type:0x800 len:0x70
64.12.30.188:5190 -> 172.16.1.100:1030 TCP TTL:99 TOS:0x0 ID:27851 IpLen:20 DgmLen:98 DF
***APR** Seq: 0xC6955D67 Ack: 0x56205B63 Win: 0x4000 TcpLen: 20
[**] [1:1841:2] WEB-CLIENT javascript URL host spoofing attempt [**]
[Classification: Attempted User Privilege Gain] [Priority: 1]
08/16-15:51:52.093828 0:20:78:CE:BE:12 -> 0:1:2:39
9:E9 type:0x800 len:0x5E2
64.12.152.56:80 -> 172.16.1.101:32904 TCP TTL:43 TOS:0x0 ID:35742 IpLen:20 DgmLen:1492 DF
***AP*** Seq: 0x11BE722F Ack: 0x7BB36C1 Win: 0x6540 TcpLen: 20
[Xref =>
http://www.securityfocus.com/bid/5293]
************
I did a check on the suggested URL and discovered that I am running a browser that is not vulnerable to this type of attack. However, to prevent the attack from progressing and to determine what was happening to my server - I disco'd my DSL router from the internet and started to probe my logs. The only descrepancy I can find is in /var/log/messages which occured 3 minutes after the "javascript URL host spoofing attempt" started:
*************
Aug 16 15:53:43 name kernel: device eth0 left promiscuous mode
Aug 16 15:53:43 name kernel: eth0: Setting promiscuous mode.
Aug 16 15:53:43 name kernel: device eth0 entered promiscuous mode
Aug 16 15:53:43 name kernel: klogd 1.4.1, ---------- state change ----------
Aug 16 15:53:43 name kernel: Inspecting /boot/System.map-2.4.19-4GB
Aug 16 15:53:43 name kernel: Loaded 14329 symbols from /boot/System.map-2.4.19-4GB.
Aug 16 15:53:43 name kernel: Symbols match kernel version 2.4.19.
Aug 16 15:53:43 name kernel: Loaded 1038 symbols from 39 modules.
**************
I believe that eth0 left "promiscuous mode" due to the fact that I accidently shut snort down in my panic of observing an attack and my fury in opening an new xterm window.
What I am concerned about here is the "klogd 1.4.1, -- state change --" does anyone have any ideas why this may have occured at this time?
Thanks in advance for any assistance.
halifax
STEALTH ACTIVITY (unknown) detection javascript URL host spoofing attempt