LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 10-27-2006, 02:23 PM   #1
carlatf
LQ Newbie
 
Registered: Oct 2006
Posts: 5

Rep: Reputation: 0
Question What's this?. Security violation


Hi,
I get this msg from the server log:

I'm not quite sure what this means.
I have my server running apache (80), postfix, dovecot and webmin (on a non standard port), ssh (not on the usual port)

All this people are trying to access and are being rejected?
Is this good?.

Many thanks.

################### LogWatch 5.2.2 (06/23/04) ####################
Processing Initiated: Fri Oct 27 04:06:21 2006
Date Range Processed: yesterday
Detail Level of Output: 0

--------------------- Kernel Begin ------------------------


Dropped 1231 packets on interface eth0
From 1.177.26.213 - 5 packets to udp(1025,1025,1025,1025,1025)
From 4.190.230.173 - 1 packet to udp(1025)
From 8.104.194.107 - 5 packets to udp(1025,1025,1026,1026,1025)
From 8.252.248.152 - 5 packets to udp(1026,1026,1026,1026,1026)
From 10.44.194.214 - 5 packets to udp(1025,1026,1025,1026,1025)
From 12.74.118.106 - 5 packets to udp(1025,1025,1026,1025,1026)
From 21.196.31.235 - 5 packets to udp(1025,1026,1026,1025,1026)
From 29.7.216.242 - 5 packets to udp(1026,1026,1026,1026,1026)
From 29.114.43.245 - 5 packets to udp(1026,1026,1026,1026,1026)
From 29.143.21.195 - 5 packets to udp(1025,1026,1025,1026,1026)
From 32.3.199.216 - 5 packets to udp(1025,1025,1026,1025,1026)
From 37.209.117.90 - 2 packets to udp(1025,1026)
From 38.218.137.116 - 5 packets to udp(1026,1026,1026,1026,1026)
From 40.119.248.47 - 4 packets to udp(1026,1026,1026,1026)
From 43.97.19.214 - 5 packets to udp(1026,1026,1026,1026,1026)
From 57.61.61.63 - 5 packets to udp(1026,1028,1031,1026,1027)
From 59.117.180.35 - 12 packets to tcp(8080,8080,8080,8080,8080)
From 60.44.125.153 - 7 packets to tcp(5554,9898,5554,9898,5554,5554,5554)
From 60.172.138.126 - 3 packets to tcp(1025)
From 61.6.220.161 - 5 packets to tcp(5900,5900,5900,5900,5900)
From 61.57.132.230 - 5 packets to tcp(21,21,21,21,21)
From 61.109.12.3 - 7 packets to tcp(6129,6129,6129,6129,6129)
From 61.195.146.124 - 7 packets to tcp(22,22,22,22,22)
From 61.233.40.205 - 5 packets to udp(1030,1030,1031,1032,4297)
From 61.235.154.108 - 13 packets to 11 udp ports
From 61.240.50.167 - 5 packets to udp(1026,1026,1026,1026,1026)
From 62.160.169.5 - 1 packet to udp(49153)
From 63.15.153.96 - 5 packets to udp(1025,1026,1025,1026,1025)
From 63.246.15.18 - 4 packets to udp(33439)
From 64.94.45.18 - 4 packets to udp(33438)
From 64.94.45.26 - 4 packets to udp(33440)
From 64.157.70.188 - 1 packet to udp(1026)
From 65.104.213.150 - 5 packets to udp(1026,1026,1026,1026,1026)
From 65.214.154.16 - 2 packets to tcp(3722)
From 66.46.205.242 - 5 packets to udp(1025,1025,1025,1025,1025)
From 66.100.176.75 - 2 packets to udp(1025,1026)
From 66.119.65.2 - 10 packets to udp(33435)
From 66.119.65.22 - 55 packets to udp(33436,33437)
From 66.129.65.52 - 4 packets to udp(33437)
From 66.150.8.14 - 4 packets to udp(33438)
From 66.151.55.13 - 4 packets to udp(33436)
From 67.15.205.36 - 7 packets to tcp(21,21,21,21,21)
From 67.180.124.193 - 7 packets to tcp(5900,5900,5900,5900,5900)
From 69.25.7.10 - 12 packets to udp(33436)
From 69.25.7.14 - 5 packets to udp(33437)
From 69.25.7.26 - 10 packets to udp(33440)
From 69.25.7.30 - 8 packets to udp(33441)
From 69.38.102.194 - 7 packets to tcp(21,21,21,21)
From 69.47.181.10 - 3 packets to tcp(5900,5900,5900)
From 80.118.177.3 - 1 packet to udp(37852)
From 81.255.44.14 - 1 packet to udp(49153)
From 84.82.242.140 - 5 packets to udp(1025,1026,1025,1026,1026)
From 85.40.194.223 - 5 packets to udp(1026,1026,1026,1026,1026)
From 85.62.69.21 - 1 packet to udp(49153)
From 85.187.166.157 - 11 packets to tcp(4899,4899,4899,4899,4899)
From 87.215.67.224 - 5 packets to udp(1026,1026,1026,1026,1026)
From 89.73.82.52 - 5 packets to udp(1026,1026,1026,1026,1026)
From 90.28.170.68 - 5 packets to udp(1026,1026,1026,1026,1026)
From 100.121.188.102 - 5 packets to udp(1025,1025,1026,1025,1025)
From 102.61.188.209 - 5 packets to udp(1025,1025,1026,1025,1025)
From 111.183.101.83 - 5 packets to udp(1025,1025,1026,1025,1026)
From 117.242.240.232 - 5 packets to udp(1026,1026,1026,1026,1026)
From 120.50.14.84 - 5 packets to udp(1025,1026,1026,1025,1026)
From 133.23.154.234 - 5 packets to udp(1026,1026,1026,1026,1026)
From 147.166.107.88 - 5 packets to udp(1025,1026,1026,1025,1026)
From 156.33.148.217 - 5 packets to udp(1025,1026,1026,1025,1025)
From 159.237.4.2 - 2 packets to udp(49153,49153)
From 164.77.194.98 - 1 packet to udp(37852)
From 165.155.61.91 - 5 packets to udp(1025,1025,1026,1025,1026)
From 172.190.168.193 - 6 packets to udp(54537)tcp(54537)
From 174.150.229.220 - 5 packets to udp(1025,1026,1025,1026,1025)
From 194.7.176.162 - 1 packet to udp(49153)
From 196.12.43.152 - 7 packets to tcp(22,22,22,22,22)
From 200.55.79.2 - 112 packets to tcp(465,995)
From 200.137.66.225 - 5 packets to udp(1025,1026,1025,1026,1025)
From 201.252.14.38 - 2 packets to udp(80)
From 201.253.236.236 - 1 packet to udp(80)
From 202.103.86.66 - 5 packets to udp(1030,1031,4081,1031,4081)
From 202.149.194.162 - 12 packets to tcp(4899,4899,4899,4899,4899)
From 203.131.172.230 - 5 packets to tcp(4899,4899,4899,4899,4899)
From 203.150.224.219 - 7 packets to tcp(2100,2100,2100,2100,2100)
From 203.200.35.232 - 1 packet to udp(49153)
From 204.13.163.169 - 8 packets to udp(33436)
From 205.158.37.66 - 5 packets to udp(1025,1026,1025,1025,1025)
From 206.253.195.10 - 16 packets to udp(33436)
From 206.253.195.14 - 84 packets to udp(33437)
From 206.253.195.22 - 4 packets to udp(33439)
From 206.253.195.26 - 116 packets to udp(33440)
From 208.193.213.137 - 1 packet to udp(1025)
From 209.4.234.99 - 5 packets to udp(1026,1026,1026,1026,1026)
From 209.76.191.15 - 7 packets to tcp(5900,5900,5900,5900,5900)
From 209.126.128.88 - 5 packets to tcp(22,22,22,22,22)
From 210.186.89.232 - 1 packet to udp(80)
From 211.129.253.134 - 7 packets to tcp(5554,9898,5554,5554,5554,5554,9898)
From 211.205.9.47 - 2 packets to udp(1025,1026)
From 212.8.110.238 - 1 packet to udp(49153)
From 214.103.159.224 - 5 packets to udp(1025,1026,1025,1026,1025)
From 216.76.235.75 - 3 packets to tcp(1025)
From 216.180.218.33 - 2 packets to tcp(5900)
From 216.183.102.100 - 4 packets to udp(33437)
From 216.239.113.9 - 213 packets to udp(33435,33438,33442)
From 216.239.127.101 - 76 packets to udp(33435,33437,33438,33440)
From 217.24.122.149 - 5 packets to tcp(4899,4899,4899,4899,4899)
From 217.110.79.32 - 5 packets to tcp(4899,4899,4899,4899,4899)
From 218.134.192.86 - 5 packets to udp(1025,1025,1026,1025,1026)
From 218.254.20.228 - 5 packets to udp(1026,1026,1026,1026,1026)
From 220.127.253.245 - 7 packets to tcp(5554,5554,9898,5554,5554,5554,9898)
From 221.12.161.99 - 33 packets to 25 udp ports
From 221.165.127.252 - 7 packets to tcp(5554,9898,5554,9898,5554,5554,5554)
From 221.220.95.137 - 8 packets to tcp(4899,4899,4899,4899,4899)
From 222.79.28.188 - 25 packets to tcp(1080,7212,8000,8080,8888,32167,1080,32167,1080,32167)

Logged 24 packets on interface eth0
From 61.195.146.124 - 10 packets to tcp(22,22,22,22,22)
From 196.12.43.152 - 9 packets to tcp(22,22,22,22,22)
From 209.126.128.88 - 5 packets to tcp(22,22,22,22,22)
 
Old 10-27-2006, 02:40 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Those all look like dropped packets (the logged entries also are in the dropped list) with the bulk being windows worm/vx scans. So I'd say that looks good. But don't be fooled into thinking that runnning applications on non-standard ports makes them secure. It just makes them slightly harder to find. You still need to monitor their individual logs and use good security practices.
 
Old 10-28-2006, 07:36 AM   #3
jayjwa
Member
 
Registered: Jul 2003
Location: NY
Distribution: Slackware, Termux
Posts: 878

Rep: Reputation: 309Reputation: 309Reputation: 309Reputation: 309
This type stuff:

From 218.134.192.86 - 5 packets to udp(1025,1025,1026,1025,1026)
From 218.254.20.228 - 5 packets to udp(1026,1026,1026,1026,1026)

is most likely Windows NetSend Messenger spam (try sniffing the traffic sometime if you're really bored).

Port 5900 is VNC, there were a few bugs with RealVNC in the past, several public exploits out for those, I've been seeing this too as well.

From 221.165.127.252 - 7 packets to tcp(5554,9898,5554,9898,5554,5554,5554)

Is the w32 Dabber virus, it repeatedly fires off exploits to port 5554 (old Sasser ftpd), and immediately checks 9898 to see if it was successful, over and over and over and ...

4899 I think is Radmin
 
Old 11-01-2006, 09:11 PM   #4
carlatf
LQ Newbie
 
Registered: Oct 2006
Posts: 5

Original Poster
Rep: Reputation: 0
many thanks guys.
As I saw "security violation" in the msg I got worried.
I know that change the ports only makes it harder to find nothing else.
I'm about to install an IDS system.

Best regards,
Carla
 
  


Reply

Tags
security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Is this a violation of the GPL? gplenforcer General 4 08-03-2005 03:58 AM
xbox GPL Violation? Maestro485 General 9 06-07-2005 01:00 AM
Segment violation Jozsef Linux - Newbie 1 10-08-2004 03:11 PM
segment violation Jozsef Linux - Software 1 10-06-2004 09:46 AM
Access Violation??? sh4k3y Linux - Software 3 03-25-2004 07:22 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:56 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration