What do the logs mean?

What do the logs mean?

Post by Kevin Zembowe » Wed, 28 Feb 2001 05:48:51



I have three suspicious entries in my /var/log/messages:


(64.225.122.177)

(195.215.212.203)

(200.255.65.243)

None of these are me. The 64 one is in New Hampshire, the 195 one won't
resolve and the 200 one is in Brazil.

Do these log entries indicate that the intruders got access to my
system, or just tried to connect?

In the warn log, these entries seem to be related:
Oct  9 09:28:23 real ftpd[23247]: getpeername (in.ftpd): Transport
endpoint is not connected
Oct  9 09:28:29 real ftpd[23248]: getpeername (in.ftpd): Transport
endpoint is not connected
Dec 14 12:40:59 real ftpd[30765]: exiting on signal 11: Segmentation
fault

Other than these, there are no other subsequent log entries, in either
messages or warn, that seem related to first three.

Any ideas or suggestions?

Thanks for your help.

-Kevin Zembower

 
 
 

What do the logs mean?

Post by Miguel Cr » Wed, 28 Feb 2001 06:42:53




> (64.225.122.177)

> (195.215.212.203)

> (200.255.65.243)

> Do these log entries indicate that the intruders got access to my
> system, or just tried to connect?

Just tried to connect ('root' came from an ident lookup, indicating that
they were probably using some sort of unix machines to connect). If they'd
successfully connected, there'd either be a log entry indicating which user
they successfully authenticated as, or when they were erasing the log they
would have also erased their IP address!

Quote:> In the warn log, these entries seem to be related:
> Oct  9 09:28:23 real ftpd[23247]: getpeername (in.ftpd): Transport
> endpoint is not connected
> Oct  9 09:28:29 real ftpd[23248]: getpeername (in.ftpd): Transport
> endpoint is not connected
> Dec 14 12:40:59 real ftpd[30765]: exiting on signal 11: Segmentation
> fault

Looks like you were being portscanned.

Quote:> Any ideas or suggestions?

None of this is particularly a big deal. Random people try casually to
connect to random machines all the time. The important thing is to make sure
that you are up-to-date on security-related patches, you don't have any
unnecessary network services running, and that you avoid sending your
password in the clear when connecting from remote locations.

Despite what others may say, having telnetd running is not a security risk;
but actually using it is - unless you just use it within your private
network. I usually keep it running on at least one system for emergencies,
like when I'm in rural Sumatra and a machine at home is down and I
desperately need to get in, but the power at the local internet shack never
stays up long enough for me to download an SSH client at 14.4Kbps.

miguel

 
 
 

What do the logs mean?

Post by Stephen K. Gield » Wed, 28 Feb 2001 09:25:25



> I have three suspicious entries in my /var/log/messages:


> (64.225.122.177)

> (195.215.212.203)

> (200.255.65.243)

> None of these are me. The 64 one is in New Hampshire, the 195 one won't
> resolve and the 200 one is in Brazil.

> Do these log entries indicate that the intruders got access to my
> system, or just tried to connect?

> In the warn log, these entries seem to be related:
> Oct  9 09:28:23 real ftpd[23247]: getpeername (in.ftpd): Transport
> endpoint is not connected
> Oct  9 09:28:29 real ftpd[23248]: getpeername (in.ftpd): Transport
> endpoint is not connected
> Dec 14 12:40:59 real ftpd[30765]: exiting on signal 11: Segmentation
> fault

I know someone else said this was just a port scan.  The transport
endpoint not connected looks like one, but the seg fault wasn't a port
scan.  Buffer overflow.  You may have been back doored on Dec 14.  Check
for root kits.

Can't tell more without more info, but probability is high that your
machine may have been compromised, but it is not certain.  What security
features do you have in place?  Logging?  etc?  Time to start digging.

/steve
--
Stephen K. Gielda
http://www.cotse.com
The Church of the Swimming Elephant
Have you gone to church today?

 
 
 

What do the logs mean?

Post by donol » Wed, 28 Feb 2001 15:57:27



>I have three suspicious entries in my /var/log/messages:


>(64.225.122.177)

>(195.215.212.203)

>(200.255.65.243)

>None of these are me. The 64 one is in New Hampshire, the 195 one won't
>resolve and the 200 one is in Brazil.

#########################

inetnum:     195.215.212.200 - 195.215.212.207
netname:     COMPUTERFORENINGEN-BOXEN-NET
descr:       Computerforeningen Boxen
descr:       Vestergade 16 Kl.
descr:       9690 Fjerritslev
country:     DK
admin-c:     DSA34-RIPE
tech-c:      DSA34-RIPE
status:      ASSIGNED PA
mnt-by:      TDK-MNT

source:      RIPE
route:       195.215.0.0/16
descr:       Tele Danmark
origin:      AS3292
remarks:     For abuse and security issues contact

mnt-by:      AS3292-MNT

source:      RIPE
person:      Daniel Stjernholm Andersen
address:     Computerforeningen Boxen
address:     Vestergade 16 Kl.
address:     9690 Fjerritslev
address:     DK
phone:       +45 96500351
nic-hdl:     DSA34-RIPE
------------------------------------------


Interland, Inc. (NETBLK-INTERLAND-5)
   101 Marietta St. Suite 200
   Atlanta, GA 30303
   Netname: INTERLAND-5
   Netblock: 64.224.0.0 - 64.226.255.255
   Maintainer: INTD
   Coordinator:

      404-586-9999 (FAX) 404-586-0001
   Domain System inverse mapping provided by:
   DNS2.INTERLAND.NET           208.233.88.15
   DNS3.INTERLAND.NET           208.233.88.20
-------------------------------------------

#########################

 
 
 

What do the logs mean?

Post by Stevens R. Mille » Thu, 01 Mar 2001 12:53:46




> >> Dec 14 12:40:59 real ftpd[30765]: exiting on signal 11: Segmentation
> >> fault

> > I know someone else said this was just a port scan.  The transport
> > endpoint not connected looks like one, but the seg fault wasn't a port
> > scan.  Buffer overflow.  You may have been back doored on Dec 14.  Check
> > for root kits.

> Good spot. My bad.

Yes, it was a good catch. But, what is a "root kit"?
 
 
 

What do the logs mean?

Post by Miguel Cr » Fri, 02 Mar 2001 03:05:21



Quote:> Yes, it was a good catch. But, what is a "root kit"?

Little black bag of software tools used to get root and set up shop once
such has been acquired. Is this mythical? I'm not sure. I do look at the
stuff available on sites like rootshell.org, and have never seen such a
thing (i.e., a general-purpose collection all rolled up together for easy
one-click use). I suppose somewhere out on IRC someone could be trading it
around, but it seems easier and more adaptable for people to just learn how
to use readily-available tools.

miguel

 
 
 

What do the logs mean?

Post by JWMeri » Fri, 02 Mar 2001 08:42:14



>> > Yes, it was a good catch. But, what is a "root kit"?

The package which has been termed "rootkit" on Unix boxes consists of such
things as doctored ps, doctored ls, "fixed" netstat, ... that give almost
correct reports but do not give  away the presence of someone who has already
'rooted' the box.

Output looks right, but no giveaways...

James W.  Meritt, CISSP, CISA

 
 
 

What do the logs mean?

Post by Stevens R. Mille » Sat, 03 Mar 2001 00:57:08









> > > >> Dec 14 12:40:59 real ftpd[30765]: exiting on signal 11:
Segmentation
> > > >> fault

> > > > I know someone else said this was just a port scan.  The transport
> > > > endpoint not connected looks like one, but the seg fault wasn't a
port
> > > > scan.  Buffer overflow.  You may have been back doored on Dec 14.
Check
> > > > for root kits.

> > > Good spot. My bad.

> > Yes, it was a good catch. But, what is a "root kit"?

> A root kit is a collection of utilities designed to hide the intrusion

These are great answers. Thanks, everyone!
 
 
 

1. NIS log - what's this mean?

Attempted Intrusion "BAT_Execution_Via_HTTP" from your machine against
www.chemcentral.com(205.141.192.64) was detected and blocked
Intruder: localhost(1113)
Risk Level: Medium
Protocol: TCP
Attacked IP: www.chemcentral.com(205.141.192.64)
Attacked Port: http(80)

My machine generated this...

?

2. set-variable and Delete Key

3. ZA logs - don't know what they mean :(

4. money 99

5. What do these logs mean?

6. 12th Annual USENIX Security Symposium, August 4-8, 2003, Washington DC

7. Can someone tell me the meaning of these logs ...

8. How to mail binary File

9. What does this log file mean- Intrusion, Noise, or ISP?

10. Lucent/Ascend Firewall Log Entry, meaning?

11. What do these logs mean?

12. What does logged router activity mean?

13. Kerio log help (what does this mean)