PortSentry and Logcheck

Richard Emory

PortSentry and Logcheck

« on: June 22, 2001, 07:00:39 AM »

I have Portsentry set to anal.
I get the following on most logcheck e-mail reports

Security Violations
=-=-=-=-=-=-=-=-=-=
Jun 21 08:12:33 e-smith kernel: Packet log: denylog DENY eth1 PROTO=6 212.41.192.23:1 (MYserverIP):56137 L=40 S=0x00 I=1253 F=0x0000 T=240 (#1)
Jun 21 08:12:36 e-smith kernel: Packet log: denylog DENY eth1 PROTO=6 212.41.192.23:3 (MYserverIP):56137 L=40 S=0x00 I=1505 F=0x0000 T=240 (#1)

ETC..........

when I nslookup and whois the IP, I get unfimillar results.
ie. I do not remember visiting this server.

Should I be concerned, or is this normal for this setting.
A URL for more information would be helpful.

Logged

Richard Emory

Re: PortSentry and Logcheck

« Reply #1 on: June 22, 2001, 10:29:20 PM »

By the way, I am getting these about every two hours.
Coming from different IP addresses and different port scans.
If these are scans, then this should let the unaware now know how often your computer(s) could be scanned.

Logged

Jules

Re: PortSentry and Logcheck

« Reply #2 on: June 22, 2001, 11:20:36 PM »

It looks as though someone is trying to drop a trojan/backdoor on your machine (port 56137). I am checking for more deatils on this port. The ipBlock belongs to Galactica (milan, Italy). This ip belongs tp lisa.galactica.it. (or does now ..contact galactica for mroe info. look for abuse@ email address

Will get back with more info ... Email other scans if you dont want to post them ..
julian@newcentcom.com

Results of lookup
---------------------------

Ip Is In Milan, Italy

Report for 212.41.192.23

Analysis: IP packets are being lost past network "UUNET PIPEX" at hop 14. at hop Connections to HTTP port 80 are being
rejected.

------------------------------------------------------------------------------------------------------------------------------------------------------------
| Hop | %Loss | IP Address | Node Name | Location | Tzone | ms | Graph | Network |
------------------------------------------------------------------------------------------------------------------------------------------------------------
| 0 | | 161.58.180.113 | win10115.iad.dn.net | Dulles, VA, USA | -5.0 | | | Verio, Inc. |
| 1 | | 161.58.176.129 | - | ?Englewood, CO 80112 | | 0 | x | Verio, Inc. |
| 2 | | 161.58.156.140 | - | ?Englewood, CO 80112 | | 0 | x | Verio, Inc. |
| 3 | | 129.250.27.190 | ge-1-3-0.r00.stngva01.us.bb.verio.net | Sterling, VA, USA | -5.0 | 0 | x | Verio, Inc. |
| 4 | | 129.250.3.157 | p16-7-0-0.r01.mclnva02.us.bb.verio.net | Mclean, VA, USA | -5.0 | 0 | x | Verio, Inc. |
| 5 | | 204.255.169.89 | ATM5-0.BR3.DCA6.ALTER.NET | Washington, DC, USA | -5.0 | 0 | x | UUNET Technologies, Inc. |
| 6 | | 152.63.38.118 | 0.so-3-1-0.XL1.DCA6.ALTER.NET | Washington, DC, USA | -5.0 | 0 | x | UUNET Technologies, Inc. |
| 7 | | 152.63.35.113 | 0.so-0-0-0.XR1.DCA6.ALTER.NET | Washington, DC, USA | -5.0 | 0 | x | UUNET Technologies, Inc. |
| 8 | | 152.63.11.101 | 0.so-4-0-0.TR1.DCA6.ALTER.NET | Washington, DC, USA | -5.0 | 0 | x | UUNET Technologies, Inc. |
| 9 | | 152.63.10.121 | 121.at-4-0-0.IR1.DCA6.ALTER.NET | Washington, DC, USA | -5.0 | 0 | x | UUNET Technologies, Inc. |
| 10 | | 146.188.13.34 | SO-0-0-0.IR1.DCA4.Alter.Net | Washington, DC, USA | -5.0 | 0 | x | UUNET PIPEX |
| 11 | | 146.188.3.202 | so-5-0-0.TR1.FFT1.Alter.Net | Frankfurt, Germany | +1.0 | 78 | x | UUNET PIPEX |
| 12 | | 146.188.8.94 | 297.at-4-0-0.XR2.MLN4.Alter.Net | Milan, Italy | +1.0 | 93 | x | UUNET PIPEX |
| 13 | | 146.188.4.201 | 314.ATM5-0-0.GW2.MLN4.Alter.Net | Milan, Italy | +1.0 | 93 | x | UUNET PIPEX |
| 14 | | 146.188.37.42 | Galactica-gw.customer.ALTER.NET | - | | 106 | x------ | UUNET PIPEX |
| 15 | 100 | ?146.188.37.42 | Galactica-gw.customer.ALTER.NET | | | | | UUNET PIPEX |
| 16 | 100 | ?212.41.192.23 | ?lisa.galactica.it | | | | | Galactica.it Network - Milano |
------------------------------------------------------------------------------------------------------------------------------------------------------------

domain: galactica.it
x400-domain: c=it; admd=0; prmd=galactica;
org: Galactica Spa
admin-c: PL1155
tech-c: MM4349
postmaster: MM4349
zone-c: MM4349
nserver: 212.41.208.6 dns.galactica.it
nserver: 193.205.245.8 dns2.nic.it
remarks: Fully-Managed
mnt-by: GALACTICA-MNT
created: before 960129
changed: hostmaster@nic.it 19990826
source: IT-NIC

%%% End of referred query result

Logged

Jules

Re: PortSentry and Logcheck

« Reply #3 on: June 22, 2001, 11:44:45 PM »

Hey again

Nothing really known for port 56137 (unless the person trying to connect made a typo !!!)

Only ones close follow
5631 tcp udp pcanywheredata pcANYWHEREdata symantec.com
5632 tcp udp pcanywherestat pcANYWHEREstat symantec.com

55917 HACK sub7newserver22.zip
54320 tcp Back Orifice 2000 (TCP)
54321 udp Back Orifice 2000 (UDP)
65000 tcp stacheldraht Stacheldraht distributed attack tool Handler to/from agent
65301 tcp pcanywhere Used sometimes by PCAnywhere

Only other thing I found was something called HACK 56137 here :-
http://security.namodro.cz/dl/indexnew0004.asp

56137 HACK sechole3.zip
Získání Administrator pøístupu na lokální NT poèítaè (pre SP4 pouze)

)>

For port info goto :-
http://www.ec11.dial.pipex.com/port-num.htm

Logged

Richard Emory

Re: PortSentry and Logcheck

« Reply #4 on: June 25, 2001, 06:45:56 PM »

How / where did you get that information?
I would like to know how and where to get more information on the server, the hack they are going after and how to stop or thawart the attack. Also, if it is a real attack. Also, I saw somewhere a program that I could use that would mis-represent the fingerprint my server gives out to scans. Have you seen this and do you know where to get it?

This is all I got:

nslookup 212.41.192.23
Server: localhost
Address: 127.0.0.1

Name: lisa.galactica.it
Address: 212.41.192.23

[root@e-smith /root]# nmap -sS -O 212.41.192.23

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Interesting ports on lisa.galactica.it (212.41.192.23):
(The 1512 ports scanned but not shown below are in state: closed)
Port State Service
23/tcp open telnet
25/tcp open smtp
80/tcp open http
111/tcp open sunrpc
113/tcp open auth
139/tcp open netbios-ssn
513/tcp open login
514/tcp open shell
515/tcp open printer
1024/tcp open kdm
7010/tcp open ups-onlinet

TCP Sequence Prediction: Class=random positive increments
Difficulty=2332566 (Good luck!)
Remote operating system guess: Linux 2.1.122 - 2.2.14

Nmap run completed -- 1 IP address (1 host up) scanned in 80 seconds

Logged

Sidney

Re: PortSentry and Logcheck

« Reply #5 on: June 26, 2001, 09:11:17 PM »

Sorry for getting a little off the subject but

could you tell me how to install portsentry and logcheck.

Is there any user manual that would be help for a beginner.

Thanks for any help

Logged

Richard Emory

Re: PortSentry and Logcheck

« Reply #6 on: June 27, 2001, 02:06:14 AM »

They both come from http://www.psionic.com/

One version of logcheck is at:

http://www.e-smith.org/contrib/rpm-index/RPM_by_name-L.html
and ftp://updates.redhat.com/7.1/en/powertools/i386/logcheck-1.1.1-6.i386.rpm

Here is where I started with portsentry

ftp://ftp.rpmfind.net/linux/redhat/7.0/en/powertools/i386/RedHat/RPMS/
here is a copy at RedHat
ftp://updates.redhat.com/powertools/7.0/en/os/i386/portsentry-1.0-9.i386.rpm
or
ftp://rawhide.redhat.com/pub/redhat/redhat-7.1-en/powertools/i386/RedHat/RPMS/

Logged