Audit

Audit

Post by Harison Phiniz » Thu, 31 May 2001 14:25:19



I setup this RedHat 7.1 box with bastille linux and one of the coices was to
audit certain services... Is that what I am seeing here in my logs?

Nmap shows only port 22 open...
(The 1522 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh

Thanks

Logs:
*****************************************************************
May 30 12:25:17 harison2 kernel: auditIN=eth0 OUT=
MAC=00:90:27:72:19:10:00:60:47:0c:18:21:08:00 SRC=153.33.248.81
DST=209.151.238.59 LEN=44 TOS=0x00 PREC=0x00 TTL=242 ID=47737 DF PROTO=TCP
SPT=40185 DPT=111 WINDOW=8760 RES=0x00 SYN URGP=0
May 30 12:25:21 harison2 kernel: auditIN=eth0 OUT=
MAC=00:90:27:72:19:10:00:60:47:0c:18:21:08:00 SRC=153.33.248.81
DST=209.151.238.59 LEN=44 TOS=0x00 PREC=0x00 TTL=242 ID=47738 DF PROTO=TCP
SPT=40185 DPT=111 WINDOW=8760 RES=0x00 SYN URGP=0
May 30 12:25:21 harison2 kernel: auditIN=eth0 OUT=
MAC=00:90:27:72:19:10:00:60:47:0c:18:21:08:00 SRC=153.33.248.81
DST=209.151.238.59 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=47739 DF PROTO=TCP
SPT=40185 DPT=111 WINDOW=8760 RES=0x00 RST URGP=0
May 30 12:27:23 harison2 kernel: auditIN=eth0 OUT=
MAC=00:90:27:72:19:10:00:60:47:0c:18:21:08:00 SRC=217.56.111.53
DST=209.151.238.59 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=53943 DF PROTO=TCP
SPT=1272 DPT=111 WINDOW=32120 RES=0x00 SYN URGP=0
***************************************************************

 
 
 

Audit

Post by Manfred Bart » Thu, 31 May 2001 15:58:53



> I setup this RedHat 7.1 box with bastille linux and one of the
> coices was to audit certain services... Is that what I am seeing
> here in my logs?

If you don't know then who could?  ;)

Hmm, maybe I just don't understand your question... ?

With netfilter there is no way of telling if the logged packets
were accepted or dropped.  Its up to you to match the log to the
appropriate action and use a meaningful log prefix.

Quote:> Nmap shows only port 22 open...
> (The 1522 ports scanned but not shown below are in state: closed)
> Port       State       Service
> 22/tcp     open        ssh
> May 30 12:25:17 harison2 kernel: auditIN=eth0 OUT=
> MAC=00:90:27:72:19:10:00:60:47:0c:18:21:08:00 SRC=153.33.248.81
> DST=209.151.238.59 LEN=44 TOS=0x00 PREC=0x00 TTL=242 ID=47737 DF PROTO=TCP
> SPT=40185 DPT=111 WINDOW=8760 RES=0x00 SYN URGP=0

<snipped more of same>

--
Manfred
----------------------------------------------------------------
NetfilterLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>

 
 
 

Audit

Post by Harison Phiniz » Fri, 01 Jun 2001 03:06:41


It looks like an audit doesn't it?  I am pretty sure it is:

May 30 12:25:17 harison2 kernel: auditIN=eth0 OUT=
                                                    ^^^^^^^^^^

 I just wanted to make sure... ask the group.



> > I setup this RedHat 7.1 box with bastille linux and one of the
> > coices was to audit certain services... Is that what I am seeing
> > here in my logs?

> If you don't know then who could?  ;)

> Hmm, maybe I just don't understand your question... ?

> With netfilter there is no way of telling if the logged packets
> were accepted or dropped.  Its up to you to match the log to the
> appropriate action and use a meaningful log prefix.

> > Nmap shows only port 22 open...
> > (The 1522 ports scanned but not shown below are in state: closed)
> > Port       State       Service
> > 22/tcp     open        ssh

> > May 30 12:25:17 harison2 kernel: auditIN=eth0 OUT=
> > MAC=00:90:27:72:19:10:00:60:47:0c:18:21:08:00 SRC=153.33.248.81
> > DST=209.151.238.59 LEN=44 TOS=0x00 PREC=0x00 TTL=242 ID=47737 DF
PROTO=TCP
> > SPT=40185 DPT=111 WINDOW=8760 RES=0x00 SYN URGP=0
> <snipped more of same>

> --
> Manfred
> ----------------------------------------------------------------
> NetfilterLogAnalyzer, NetCalc, whois at: <http://logi.cc/linux/>

 
 
 

Audit

Post by craw.. » Sun, 03 Jun 2001 10:05:44



> I setup this RedHat 7.1 box with bastille linux and one of the coices was to
> audit certain services... Is that what I am seeing here in my logs?

I'm not familar with the audit choice in bastille, so hence, no comment.

Quote:> Nmap shows only port 22 open...
> (The 1522 ports scanned but not shown below are in state: closed)
> Port       State       Service
> 22/tcp     open        ssh

> Thanks

> Logs:
> *****************************************************************
> May 30 12:25:17 harison2 kernel: auditIN=eth0 OUT=
> MAC=00:90:27:72:19:10:00:60:47:0c:18:21:08:00 SRC=153.33.248.81
> DST=209.151.238.59 LEN=44 TOS=0x00 PREC=0x00 TTL=242 ID=47737 DF PROTO=TCP
> SPT=40185 DPT=111 WINDOW=8760 RES=0x00 SYN URGP=0
> May 30 12:25:21 harison2 kernel: auditIN=eth0 OUT=
> MAC=00:90:27:72:19:10:00:60:47:0c:18:21:08:00 SRC=153.33.248.81
> DST=209.151.238.59 LEN=44 TOS=0x00 PREC=0x00 TTL=242 ID=47738 DF PROTO=TCP
> SPT=40185 DPT=111 WINDOW=8760 RES=0x00 SYN URGP=0
> May 30 12:25:21 harison2 kernel: auditIN=eth0 OUT=
> MAC=00:90:27:72:19:10:00:60:47:0c:18:21:08:00 SRC=153.33.248.81
> DST=209.151.238.59 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=47739 DF PROTO=TCP
> SPT=40185 DPT=111 WINDOW=8760 RES=0x00 RST URGP=0

These three packets are likely to be that of the sadmind/IIS worm. The
DPT=111 is the vulnerable port, WINDOW=8760 indicates solaris, the ID's
increment up by one, and tcp packet sequence is SYN, SYN, RST. The IIS
scan signature is similar except the DPT=80. I stopped seeing these
about two weeks ago.

Quote:> May 30 12:27:23 harison2 kernel: auditIN=eth0 OUT=
> MAC=00:90:27:72:19:10:00:60:47:0c:18:21:08:00 SRC=217.56.111.53
> DST=209.151.238.59 LEN=60 TOS=0x00 PREC=0x00 TTL=49 ID=53943 DF PROTO=TCP
> SPT=1272 DPT=111 WINDOW=32120 RES=0x00 SYN URGP=0

Typical scan for the portmapper from a linux box in Italy.

What does one of your iptables rules look like?

Clyde