From owner-freebsd-questions Thu Dec 14 10:11:23 2000 From owner-freebsd-questions@FreeBSD.ORG Thu Dec 14 10:11:21 2000 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from earth.wnm.net (earth.wnm.net [208.246.240.243]) by hub.freebsd.org (Postfix) with ESMTP id 4E99C37B400 for ; Thu, 14 Dec 2000 10:11:21 -0800 (PST) Received: from localhost (alex@localhost) by earth.wnm.net (8.11.0/8.11.0) with ESMTP id eBEIC1X34350; Thu, 14 Dec 2000 12:12:01 -0600 (CST) Date: Thu, 14 Dec 2000 12:12:00 -0600 (CST) From: Alex Charalabidis To: Jonathan Pennington Cc: freebsd-questions@FreeBSD.ORG Subject: Re: Possible Intrusion...? In-Reply-To: <20001214123643.A499@coastalgeology.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, 14 Dec 2000, Jonathan Pennington wrote: > Got a possible intrusion, and a fairly bare logset. Although I firmly > subscribe to the school of "Never ascribe to malice what can > adequately be explained by stupidity," it seems that even I couldn't > have done this one. > Never dismiss as stupidity what is probably malice. Looks pretty much like every logfile of mine. > Dec 13 21:55:31 bullwinkle tdetect: Traceroute Detector active on ed0 > Dec 13 22:08:19 bullwinkle /kernel: ipfw: 65435 Deny TCP 213.26.2.2:23 66.20.126.15:23 in via tun0 > Dec 14 01:21:11 bullwinkle /kernel: ipfw: 65435 Deny TCP 149.149.202.53:1953 66.20.126.15:27374 in via tun0 > Dec 14 01:21:14 bullwinkle /kernel: ipfw: 65435 Deny TCP 149.149.202.53:1953 66.20.126.15:27374 in via tun0 > Dec 14 03:16:46 bullwinkle /kernel: ipfw: 65435 Deny TCP 210.204.3.61:3466 66.20.126.15:23 in via tun0 > Dec 14 03:16:49 bullwinkle /kernel: ipfw: 65435 Deny TCP 210.204.3.61:3466 66.20.126.15:23 in via tun0 > Dec 14 07:58:35 bullwinkle tdetect: Traceroute Detector active on ed0 > Dec 14 11:34:33 bullwinkle tdetect: Traceroute Detector active on ed0 > ----------- end ----------------- 27374 is a scan for a SubSeven backdoor. The rest are garden variety probes. Can't say about tdetect, never used it myself. -ac -- ============================================================== Alex Charalabidis (AC8139) 5050 Poplar Ave, Ste 170 System Administrator Memphis, TN 38157 WebNet Memphis (901) 432 6000 Author, The Book of IRC http://www.bookofirc.com/ ============================================================== To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message