Help - Search - Members - Calendar
Full Version: Port scan from a server ? Info plz...
The Planet Forums > System Administration > General Support Questions
x007
Oct 4 2004, 03:48 PM
I need some info from the linux guru here icon_smile.gif

Today i receive a ticket from Ev1 (not very clear btw),
just listing some logs whit the IP of the server and another one..

AS i understand my server have send a scan port to another server.

2004-10-04 09:05:00 User.Warning xx.xxx.xxx.xx ivhou-bix-xx, list 163 denied icmp xx.xx.xx.xx()(Ethernet 2/8) -> xxx.xx.xx.xx(), 1 event(s)
2004-10-04 09:05:00 User.Warning xx.xx.xxx.xx ivhou-bix-xx, list 163 denied udp xx.xx.xx.xx(domain)(Ethernet 2/8) -> xxx.xx.xx.xx(32947), 1 event(s)

according to the log from ev1 various port scan of the other machine : 3306,993,995,505,465,443,143,pop3,httpd,54,smtp ect..

So i give a look to see if i can find someting whit chrootkit in case the server was compromised etc.. all pretty normal nothing apear to be compromised..

This server never suffered this type of problem before (i have it since near a year), safe mode are ON, no one have SSH/shell account on it.

And i have APF running that should block incoming/outgoing ports if i'm not wrong (at the exeption of the usual port) ?

Then Ev1 have take a look on the server and have closed the ticket whit : " We were unable to find any signs of compromise, and as such, are closing this ticket."

So someone can explain how this is possible ? i'm not an
expert on linux and i want to know how the server can have
done a port scan to avoid thing like this if possible ???

thanks.
eth00
Oct 5 2004, 10:03 AM
I would first off check to make sure that APF really is setup to block outgoing traffic. There is a switch in the config file to turn outgoing filtering on and you might have missed it.

Though it really does not sound like you are hacked try running rkhunter as it will pick up what chkrootkit will not.

Go ahead and take a brief look though your server logs. See if any user was logged into ssh at the time the "attack" took place. If you do then investigate their account. It may also be worth your time to look at the raw looks briefly, if possible, to see if any weird activity was going though apache at the time of the incident.

If you cannot find anything above there is the possibility that ev1 screwed up on the ticket. I have had them report a server was scanning/ddoss'ing a server but the server itself was actually the victim. You have the actual log ev1 has, just double check that it makes sense with you being on the recieving end. Hopefully this gives you some place to start with a more thoughough investigation.
rackAID
Oct 5 2004, 11:19 AM
Check /tmp /var/tmp for hacker related files. I have seen a lot of scanning lately where attackers use PHP based exploited to upload scanning tools. These run under the apache username and do not require full root access. Be sure to check for directories beginging with a "." and things like " " -- double spaces.
x007
Oct 5 2004, 11:24 AM
QUOTE
Originally posted by eth00
I would first off check to make sure that APF really is setup to block outgoing traffic. There is a switch in the config file to turn outgoing filtering on and you might have missed it.


damn yes i have missed it icon_smile.gif They are disable by default.., ok this is corrected, so if this append again this will limit the available port to scan..

QUOTE
Though it really does not sound like you are hacked try running rkhunter as it will pick up what chkrootkit will not.


I have done this at first whit chrootkit, nothing wrong all aper clear..

QUOTE
Go ahead and take a brief look though your server logs. See if any user was logged into ssh at the time the "attack" took place. If you do then investigate their account. It may also be worth your time to look at the raw looks briefly, if possible, to see if any weird activity was going though apache at the time of the  
incident.


Thats a Todo !

QUOTE
If you cannot find anything above there is the possibility that ev1 screwed up on the ticket. I have had them report a server was scanning/ddoss'ing  a server but the server itself was actually the victim. You have the actual log ev1 has, just double check that it makes sense with you being on the recieving end. Hopefully this gives you some place to start with a more thoughough investigation.


AS the log look i'm not realy sure if i'm the receiver/attacker..
may be you can clarify this ?

OTHER-IP = other server IP
MY-server-IP = my server


2004-10-04 08:51:27 User.Warning OTHER-IP ivhou-bi4-67, list 163 denied tcp MY-server-IP(ftp)(Ethernet 2/8) -> OTHER-IP(32811), 1 event(s)

2004-10-04 08:51:27 User.Warning OTHER-IP ivhou-bi4-67, list 163 denied tcp MY-server-IP(22)(Ethernet 2/8) -> OTHER-IP(32812), 1 event(s)

2004-10-04 08:51:27 User.Warning OTHER-IP ivhou-bi4-67, list 163 denied tcp MY-server-IP(smtp)(Ethernet 2/8) -> OTHER-IP(32815), 1 event(s)

2004-10-04 08:51:27 User.Warning OTHER-IP ivhou-bi4-67, list 163 denied tcp MY-server-IP(53)(Ethernet 2/8) -> OTHER-IP(32836), 1 event(s)
x007
Oct 5 2004, 11:27 AM
QUOTE
Originally posted by huck
Check /tmp /var/tmp for hacker related files.  I have seen a lot of scanning lately where attackers use PHP based exploited to upload scanning tools.  These run under the apache username and do not require full root access.  Be sure to check for directories beginging with a "." and things like "  " -- double spaces.


I have give a check at /tmp at first and see nothing realy wrong..


just checked /var/tmp

then only contain this ? ;


-rw------- 1 apache apache 9322 Sep 15 13:50 CGItemp15365


I can't find any " " or " " as well..
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2010 Invision Power Services, Inc.