Fórum Ubuntu CZ/SK
Ostatní => Archiv => Téma založeno: Jakub Kocourek 24 Srpna 2007, 17:44:40
-
Hledám zde radu ohledně podivného chování serveru. Na serveru je Ubuntu Dapper a funguje jako brána do internetu. Vnější rozhraní je připojeno na router T-Systems a vnitřní jde do hlavního switche v serverovně.
Na serveru je provedena filtrace pomocí iptables a Snortu v Inline režimu.
Když jsem dnes přes BASE koukal do logu Snortu, zděsil jsem se. Největší část útoků je portscan, který má zdrojovou adresu mého vnějšího rozhraní - to znamená, že můj server se pokouší po světě scanovat porty jiných serverů.
Když jsem přes iptables vyblokoval zbylé útočníky, přestal i portscan (doufám, že na vždy). Zdá se tedy, že jsem fungoval jako prostředník pro něčí záškodnickou činnost.
Začal jsem hledat kde může být problém. Prošel jsem historii logů (souhrny přes LogWatch), prověřoval Tripwire (mám i vlastní sha1sum databáze), použil chkrootkit i rkhunter, prošel procesy. Nenašel jsem ale vůbec nic podezřelého :( Jen den před útokem zaznamenal PAM neúspěšné pokusy o login.
Až se k serveru dostanu, můžu ještě zkusit rkhunter z čistého systému, ale jinak mě nic nenapadá.
Máte někdo nějaké nápady?
Jakub
-
1) Co je to "podivné chování", jediný příznak a nic jste nepopsal...
2)Scanování portů i PAM útoky jsou úplně normální věc...
Dělají to roboti a jediné co se s tím dá dělat je mít zabezpečený server...
Pokud máte zájem alespoň částečně se chránit, zkusil bych použít toto:
http://aboutme.ic.cz/?q=node/120
-
Asi jsi nepochopil o co tu běží. Není scanován můj server, ale můj server scanuje ostatní servery vnější sítě! To je jediné podezřelé. Nic jiného jsem neobjevil. Ano, PAM útok není nic neovyklého, to je pravda. Neobvyklý je jen ve spojitosti s datem začástku útoku.
Jakub
-
Asi by to chtelo zjistit, ktery proces to dela. jestli je server ale opravdu zkompromitovany, bude to tezke, protoze to muze byt uplne bezny proces, ktery to ma jako "vedlejsak'. Zkuste si jeste stroj proskenovat nejakym portscannerem / nmapem, abyste videl, jestli mate otevrene navic porty, ktere nemaji byt.
Zkuste si taky vypsat souborove atributy na nizke urovni filesysytemu / lsattr. nemelo by byt nic nastaveneho. Pokud je neco RO, je na miste ostrazitost Jestli je masina napadena, nezbyva nez reinstalace, "lecit" se to neda.
-
Asi jsi nepochopil o co tu běží. Není scanován můj server, ale můj server scanuje ostatní servery vnější sítě! To je jediné podezřelé. Nic jiného jsem neobjevil. Ano, PAM útok není nic neovyklého, to je pravda. Neobvyklý je jen ve spojitosti s datem začástku útoku.
Jakub
Aha, tak to se omlouvám, opravdu jsem nepochopil co je za problém...
-
Jen den před útokem zaznamenal PAM neúspěšné pokusy o login.
Spíš bych se chtěl také zeptat - nebylo by nejjednodušší vysvětlení prolomení hesla ?
-
Jen den před útokem zaznamenal PAM neúspěšné pokusy o login.
Spíš bych se chtěl také zeptat - nebylo by nejjednodušší vysvětlení prolomení hesla ?
Vypadá to velice pravděpodobně...
Jen mě spíš překvapuje, že to po sobě ty logy nepromazalo (ať to byl bot nebo osoba)
-
Jenže logy neukazují nic divného (kromě toho Snortu) a po změně root hesla a mého login hesla útok pokračuje bez přestávky dál :(
Není nějaká požnost zblbnout iptables (Netfilter), aby prováděl forward net -> net ?
Jakub
-
Abych nezapoměl... žádné podezřelé procesy neběží a "who" indikuje přihlášeného jen mě.
Jakub
-
Asi by to chtelo zjistit, ktery proces to dela. jestli je server ale opravdu zkompromitovany, bude to tezke, protoze to muze byt uplne bezny proces, ktery to ma jako "vedlejsak'. Zkuste si jeste stroj proskenovat nejakym portscannerem / nmapem, abyste videl, jestli mate otevrene navic porty, ktere nemaji byt.
Zkuste si taky vypsat souborove atributy na nizke urovni filesysytemu / lsattr. nemelo by byt nic nastaveneho. Pokud je neco RO, je na miste ostrazitost Jestli je masina napadena, nezbyva nez reinstalace, "lecit" se to neda.
lsattr nehlásí nic podezřelého, kontroloval jsem i kontrolní součty binárek jednotlivých služeb, ale nic podezřelého se neobjevilo :(
Teď jsem spustil tethereal, tak uvidím až začne útok, jestli se něco užitečného dozvím.
Jakub
-
Tak se zdá, že je to možná falešný poplach :) Koukal jsem na výpis Tetherealu a zjišťuji, že "portscan" asi vede Spamassassin, při ověřování mailových zpráv :) Proto ten útok je jen někdy - když přijde zpráva.
Tady je ten výpis, třeba budete moudřejší:
0.000000 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
0.017535 84.42.128.227 -> 10.11.0.3 TCP 38199 > 2222 [ACK] Seq=0 Ack=64 Win=180 Len=0 TSV=13657 TSER=250347501
3.412733 84.42.128.227 -> 10.11.0.3 TCP 38201 > 2222 [SYN] Seq=0 Len=0 MSS=1452 TSV=14675 TSER=0 WS=6
3.413215 10.11.0.3 -> 84.42.128.227 TCP 2222 > 38201 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=250347843 TSER=14675 WS=2
3.429071 84.42.128.227 -> 10.11.0.3 TCP 38201 > 2222 [ACK] Seq=1 Ack=1 Win=5824 Len=0 TSV=14680 TSER=250347843
3.436547 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
3.470475 84.42.128.227 -> 10.11.0.3 TCP 38201 > 2222 [ACK] Seq=1 Ack=41 Win=5824 Len=0 TSV=14692 TSER=250347845
3.470570 84.42.128.227 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
3.470703 10.11.0.3 -> 84.42.128.227 TCP 2222 > 38201 [ACK] Seq=41 Ack=21 Win=5792 Len=0 TSV=250347849 TSER=14692
3.472523 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
3.489522 84.42.128.227 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
3.529888 10.11.0.3 -> 84.42.128.227 TCP 2222 > 38201 [ACK] Seq=745 Ack=773 Win=7296 Len=0 TSV=250347854 TSER=14697
3.531247 84.42.128.227 -> 10.11.0.3 TCP 38201 > 2222 [ACK] Seq=773 Ack=745 Win=7232 Len=0 TSV=14711 TSER=250347849
3.541242 84.42.128.227 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
3.541340 10.11.0.3 -> 84.42.128.227 TCP 2222 > 38201 [ACK] Seq=745 Ack=797 Win=7296 Len=0 TSV=250347856 TSER=14715
3.543663 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
3.560213 84.42.128.227 -> 10.11.0.3 TCP 38201 > 2222 [ACK] Seq=797 Ack=897 Win=8640 Len=0 TSV=14719 TSER=250347856
3.566761 84.42.128.227 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
3.585875 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
3.608118 84.42.128.227 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
3.649925 10.11.0.3 -> 84.42.128.227 TCP 2222 > 38201 [ACK] Seq=1617 Ack=957 Win=8800 Len=0 TSV=250347866 TSER=14734
3.665995 84.42.128.227 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
3.666099 10.11.0.3 -> 84.42.128.227 TCP 2222 > 38201 [ACK] Seq=1617 Ack=1005 Win=8800 Len=0 TSV=250347868 TSER=14751
3.666146 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
3.681931 84.42.128.227 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
3.684097 10.11.0.3 -> 212.67.64.2 DNS Standard query PTR 227.128.42.84.in-addr.arpa
3.690498 212.67.64.2 -> 10.11.0.3 DNS Standard query response PTR r4a227.net.upc.cz
3.690798 10.11.0.3 -> 212.67.64.2 DNS Standard query A r4a227.net.upc.cz
3.696103 212.67.64.2 -> 10.11.0.3 DNS Standard query response A 84.42.128.227
3.696520 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
3.749361 84.42.128.227 -> 10.11.0.3 TCP 38201 > 2222 [ACK] Seq=1069 Ack=1729 Win=10112 Len=0 TSV=14777 TSER=250347871
6.853837 84.42.128.227 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
6.855164 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
6.871971 84.42.128.227 -> 10.11.0.3 TCP 38201 > 2222 [ACK] Seq=1213 Ack=1761 Win=10112 Len=0 TSV=15713 TSER=250348187
6.872831 84.42.128.227 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
6.873058 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
6.890197 84.42.128.227 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
6.892067 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
6.892204 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
6.907482 84.42.128.227 -> 10.11.0.3 TCP 38201 > 2222 [ACK] Seq=1661 Ack=2321 Win=11520 Len=0 TSV=15724 TSER=250348191
7.100088 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
7.100342 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
7.115436 84.42.128.227 -> 10.11.0.3 TCP 38201 > 2222 [ACK] Seq=1661 Ack=2449 Win=11520 Len=0 TSV=15786 TSER=250348211
7.809837 84.42.128.227 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
7.810065 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
7.861126 84.42.128.227 -> 10.11.0.3 TCP 38201 > 2222 [ACK] Seq=1709 Ack=2497 Win=11520 Len=0 TSV=16011 TSER=250348282
8.030493 84.42.128.227 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
8.030700 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
8.046186 84.42.128.227 -> 10.11.0.3 TCP 38201 > 2222 [ACK] Seq=1757 Ack=2545 Win=11520 Len=0 TSV=16065 TSER=250348305
8.370095 84.42.128.227 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
8.370277 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
8.377840 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
8.385634 84.42.128.227 -> 10.11.0.3 TCP 38201 > 2222 [ACK] Seq=1805 Ack=2593 Win=11520 Len=0 TSV=16167 TSER=250348339
8.395096 84.42.128.227 -> 10.11.0.3 TCP 38201 > 2222 [ACK] Seq=1805 Ack=2641 Win=11520 Len=0 TSV=16170 TSER=250348339
9.029470 84.42.128.227 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
9.029620 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
9.044701 84.42.128.227 -> 10.11.0.3 TCP 38201 > 2222 [ACK] Seq=1853 Ack=2689 Win=11520 Len=0 TSV=16365 TSER=250348404
9.224065 84.42.128.227 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
9.224207 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
9.236833 84.42.128.227 -> 10.11.0.3 TCP 38201 > 2222 [ACK] Seq=1901 Ack=2737 Win=11520 Len=0 TSV=16423 TSER=250348424
9.420138 84.42.128.227 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
9.420294 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
9.435314 84.42.128.227 -> 10.11.0.3 TCP 38201 > 2222 [ACK] Seq=1949 Ack=2785 Win=11520 Len=0 TSV=16482 TSER=250348444
9.771678 84.42.128.227 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
9.771824 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
9.787546 84.42.128.227 -> 10.11.0.3 TCP 38201 > 2222 [ACK] Seq=1997 Ack=2833 Win=11520 Len=0 TSV=16587 TSER=250348479
10.286543 84.42.128.227 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
10.286693 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
10.299555 84.42.128.227 -> 10.11.0.3 TCP 38201 > 2222 [ACK] Seq=2045 Ack=2881 Win=11520 Len=0 TSV=16742 TSER=250348530
10.470001 84.42.128.227 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
10.470176 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
10.481800 84.42.128.227 -> 10.11.0.3 TCP 38201 > 2222 [ACK] Seq=2093 Ack=2929 Win=11520 Len=0 TSV=16797 TSER=250348548
10.609678 84.42.128.227 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
10.609821 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
10.622192 84.42.128.227 -> 10.11.0.3 TCP 38201 > 2222 [ACK] Seq=2141 Ack=2977 Win=11520 Len=0 TSV=16839 TSER=250348562
10.731451 84.42.128.227 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
10.731594 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
10.747091 84.42.128.227 -> 10.11.0.3 TCP 38201 > 2222 [ACK] Seq=2189 Ack=3025 Win=11520 Len=0 TSV=16875 TSER=250348575
11.368409 84.42.128.227 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
11.368624 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
11.380771 84.42.128.227 -> 10.11.0.3 TCP 38201 > 2222 [ACK] Seq=2237 Ack=3073 Win=11520 Len=0 TSV=17066 TSER=250348638
11.418253 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
11.418772 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
11.435320 84.42.128.227 -> 10.11.0.3 TCP 38201 > 2222 [ACK] Seq=2237 Ack=3201 Win=11520 Len=0 TSV=17082 TSER=250348643
11.435407 84.42.128.227 -> 10.11.0.3 TCP [TCP Dup ACK 84#1] 38201 > 2222 [ACK] Seq=2237 Ack=3201 Win=11520 Len=0 TSV=17082 TSER=250348643
11.845140 Intel_8b:26:d2 -> EdimaxTe_9c:3c:07 ARP Who has 10.11.0.3? Tell 10.11.0.1
11.845151 EdimaxTe_9c:3c:07 -> Intel_8b:26:d2 ARP 10.11.0.3 is at 00:0e:2e:9c:3c:07
21.132022 84.42.128.227 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
21.132398 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
21.147334 84.42.128.227 -> 10.11.0.3 TCP 38201 > 2222 [ACK] Seq=2285 Ack=3249 Win=11520 Len=0 TSV=19995 TSER=250349615
21.539606 218.208.194.107 -> 10.11.0.3 TCP 26954 > smtp [SYN] Seq=0 Len=0 MSS=1442
21.540123 10.11.0.3 -> 218.208.194.107 TCP smtp > 26954 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460
21.640994 84.42.128.227 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
21.641196 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
21.653074 84.42.128.227 -> 10.11.0.3 TCP 38201 > 2222 [ACK] Seq=2333 Ack=3297 Win=11520 Len=0 TSV=20148 TSER=250349666
21.898276 218.208.194.107 -> 10.11.0.3 TCP 26954 > smtp [ACK] Seq=1 Ack=1
........
.......
......
MSS=1460 TSV=250350125 TSER=0 WS=2
26.370423 209.200.130.14 -> 10.11.0.3 TCP 2703 > 47361 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=177052969 TSER=250350125 WS=6
26.371235 10.11.0.3 -> 209.200.130.14 TCP 47361 > 2703 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=250350139 TSER=177052969
26.404935 66.151.150.12 -> 10.11.0.3 TCP 2703 > 37775 [RST, ACK] Seq=138 Ack=30 Win=5792 Len=0 TSV=2490284626 TSER=250350125
26.504034 209.200.130.14 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
26.504746 10.11.0.3 -> 209.200.130.14 TCP 47361 > 2703 [ACK] Seq=1 Ack=37 Win=5840 Len=0 TSV=250350152 TSER=177052982
26.505074 10.11.0.3 -> 209.200.130.14 TCP [TCP segment of a reassembled PDU]
26.583509 83.145.163.143 -> 10.11.0.3 SMTP Command: MAIL FROM:
26.584144 10.11.0.3 -> 83.145.163.143 SMTP Response: 250 Ok
26.638009 209.200.130.14 -> 10.11.0.3 TCP 2703 > 47361 [ACK] Seq=37 Ack=26 Win=5760 Len=0 TSV=177052995 TSER=250350152
26.638731 10.11.0.3 -> 209.200.130.14 TCP [TCP segment of a reassembled PDU]
26.771131 209.200.130.14 -> 10.11.0.3 TCP 2703 > 47361 [ACK] Seq=37 Ack=158 Win=6400 Len=0 TSV=177053009 TSER=250350165
26.793508 209.200.130.14 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
26.794781 10.11.0.3 -> 209.200.130.14 TCP [TCP segment of a reassembled PDU]
26.794939 10.11.0.3 -> 209.200.130.14 TCP 47361 > 2703 [FIN, ACK] Seq=163 Ack=77 Win=5840 Len=0 TSV=250350181 TSER=177053011
26.802137 10.11.0.3 -> 142.27.70.214 DCCP Request: No-Op
26.802165 10.11.0.3 -> 136.161.101.6 DCCP Request: No-Op
26.802181 10.11.0.3 -> 194.228.41.13 DCCP Request: No-Op
26.802196 10.11.0.3 -> 192.84.137.21 DCCP Request: No-Op
26.802212 10.11.0.3 -> 80.69.8.186 DCCP Request: No-Op
26.802227 10.11.0.3 -> 136.199.199.102 DCCP Request: No-Op
26.802243 10.11.0.3 -> 208.201.249.233 DCCP Request: No-Op
26.802258 10.11.0.3 -> 194.228.41.73 DCCP Request: No-Op
26.802272 10.11.0.3 -> 152.20.253.5 DCCP Request: No-Op
26.802287 10.11.0.3 -> 194.119.212.6 DCCP Request: No-Op
26.802303 10.11.0.3 -> 203.81.36.6 DCCP Request: No-Op
26.806628 194.228.41.13 -> 10.11.0.3 DCCP Response: Ok
26.807141 194.228.41.73 -> 10.11.0.3 DCCP Response: Ok
26.822761 136.199.199.102 -> 10.11.0.3 DCCP Response: Ok
26.832514 80.69.8.186 -> 10.11.0.3 DCCP Response: Ok
26.844124 83.145.163.143 -> 10.11.0.3 TCP 2913 > smtp [ACK] Seq=81 Ack=197 Win=65339 Len=0
26.849034 192.84.137.21 -> 10.11.0.3 DCCP Response: Ok
26.871524 194.119.212.6 -> 10.11.0.3 DCCP Response: Ok
26.912125 136.161.101.6 -> 10.11.0.3 DCCP Response: Ok
26.927984 209.200.130.14 -> 10.11.0.3 TCP 2703 > 47361 [RST, ACK] Seq=77 Ack=164 Win=6400 Len=0 TSV=177053024 TSER=250350181
26.935666 152.20.253.5 -> 10.11.0.3 DCCP Response: Ok
26.983104 208.201.249.233 -> 10.11.0.3 DCCP Response: Ok
26.996800 142.27.70.214 -> 10.11.0.3 DCCP Response: Ok
27.200776 203.81.36.6 -> 10.11.0.3 DCCP Response: Ok
27.488331 83.145.163.143 -> 10.11.0.3 SMTP Command: RCPT TO:
27.490079 10.11.0.3 -> 83.145.163.143 SMTP Response: 250 Ok
27.992620 10.11.0.3 -> 83.145.163.143 SMTP [TCP Retransmission] Response: 250 Ok
28.098179 83.145.163.143 -> 10.11.0.3 TCP [TCP Previous segment lost] 2913 > smtp [ACK] Seq=2752 Ack=242 Win=65294 Len=0
28.397480 83.145.163.143 -> 10.11.0.3 SMTP [TCP Retransmission] Message Body
28.397673 10.11.0.3 -> 83.145.163.143 TCP smtp > 2913 [ACK] Seq=242 Ack=1581 Win=8760 Len=0
28.505732 83.145.163.143 -> 10.11.0.3 SMTP [TCP Retransmission] Message Body
28.513270 10.11.0.3 -> 83.145.163.143 SMTP Response: 250 Ok: queued as 240D52802E20
28.621229 10.11.0.3 -> 212.67.64.2 DNS Standard query A discovery.spamnet.com
28.626640 212.67.64.2 -> 10.11.0.3 DNS Standard query response A 66.151.150.35 A 66.151.150.12
28.627013 10.11.0.3 -> 66.151.150.35 TCP 51041 > 2703 [SYN] Seq=0 Len=0 MSS=1460 TSV=250350364 TSER=0 WS=2
28.739794 83.145.163.143 -> 10.11.0.3 TCP 2913 > smtp [ACK] Seq=2752 Ack=274 Win=65262 Len=0
28.807500 66.151.150.35 -> 10.11.0.3 TCP 2703 > 51041 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=2490287029 TSER=250350364 WS=2
28.808291 10.11.0.3 -> 66.151.150.35 TCP 51041 > 2703 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=250350382 TSER=2490287029
28.890733 83.145.163.143 -> 10.11.0.3 TCP [TCP Previous segment lost] 2913 > smtp [FIN, ACK] Seq=2758 Ack=274 Win=65262 Len=0
28.890840 10.11.0.3 -> 83.145.163.143 TCP [TCP Dup ACK 239#1] smtp > 2913 [ACK] Seq=274 Ack=2752 Win=11680 Len=0 SLE=2758 SRE=2759
...
...
...
...
191.534863 66.151.150.35 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
191.535464 10.11.0.3 -> 66.151.150.35 TCP 51749 > 2703 [ACK] Seq=1 Ack=36 Win=5840 Len=0 TSV=250366655 TSER=2490449757
191.535630 10.11.0.3 -> 66.151.150.35 TCP [TCP segment of a reassembled PDU]
191.714798 66.151.150.35 -> 10.11.0.3 TCP 2703 > 51749 [ACK] Seq=36 Ack=13 Win=5792 Len=0 TSV=2490449938 TSER=250366655
191.715041 66.151.150.35 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
191.716145 10.11.0.3 -> 66.151.150.35 TCP [TCP segment of a reassembled PDU]
191.742846 84.42.128.227 -> 10.11.0.3 TLS Application Data
191.742955 10.11.0.3 -> 84.42.128.227 TCP https > 49937 [ACK] Seq=63595 Ack=3204 Win=16160 Len=0 TSV=250366675 TSER=71166
191.825430 124.190.211.64 -> 10.11.0.3 SMTP Command: QUIT
191.825610 10.11.0.3 -> 124.190.211.64 SMTP Response: 221 Bye
191.825944 10.11.0.3 -> 124.190.211.64 TCP smtp > 62215 [FIN, ACK] Seq=166 Ack=1142 Win=8272 Len=0
191.896928 66.151.150.35 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
191.900729 10.11.0.3 -> 66.151.150.35 TCP [TCP segment of a reassembled PDU]
191.901124 10.11.0.3 -> 212.67.64.2 DNS Standard query A c103.cloudmark.com
191.905802 212.67.64.2 -> 10.11.0.3 DNS Standard query response A 209.200.130.14
191.906144 10.11.0.3 -> 209.200.130.14 TCP 35156 > 2703 [SYN] Seq=0 Len=0 MSS=1460 TSV=250366692 TSER=0 WS=2
191.955006 10.11.0.3 -> 84.42.128.227 TLS Application Data, Application Data,
191.955030 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
191.955046 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
191.976879 84.42.128.227 -> 10.11.0.3 TCP 49937 > https [ACK] Seq=3204 Ack=67915 Win=63808 Len=0 TSV=71238 TSER=250366697
191.977012 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
191.977027 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
191.977039 10.11.0.3 -> 84.42.128.227 TLS Application Data,
191.977050 10.11.0.3 -> 84.42.128.227 TLS Application Data, Application Data, Application Data,
191.982873 84.42.128.227 -> 10.11.0.3 TCP [TCP Dup ACK 815#1] 49937 > https [ACK] Seq=3204 Ack=67915 Win=63808 Len=0 TSV=71238 TSER=250366697
191.996033 84.42.128.227 -> 10.11.0.3 TCP 49937 > https [ACK] Seq=3204 Ack=70795 Win=63808 Len=0 TSV=71245 TSER=250366699
191.996140 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
191.996152 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
191.996163 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
192.002217 84.42.128.227 -> 10.11.0.3 TCP 49937 > https [ACK] Seq=3204 Ack=73675 Win=62336 Len=0 TSV=71245 TSER=250366699
192.002332 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
192.002345 10.11.0.3 -> 84.42.128.227 TLS Application Data, Application Data, Application Data, Application Data,
192.002356 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
192.008609 84.42.128.227 -> 10.11.0.3 TCP [TCP Dup ACK 825#1] 49937 > https [ACK] Seq=3204 Ack=73675 Win=62336 Len=0 TSV=71245 TSER=250366699
192.018320 84.42.128.227 -> 10.11.0.3 TCP 49937 > https [ACK] Seq=3204 Ack=79435 Win=63808 Len=0 TSV=71251 TSER=250366701
192.018428 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
192.018441 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
192.018452 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
192.018464 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
192.018569 10.11.0.3 -> 84.42.128.227 TLS Application Data, Application Data, Application Data, Application Data,
192.024418 84.42.128.227 -> 10.11.0.3 TCP 49937 > https [ACK] Seq=3204 Ack=82315 Win=62336 Len=0 TSV=71252 TSER=250366701
192.024499 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
192.024510 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
192.024521 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
192.030949 84.42.128.227 -> 10.11.0.3 TCP [TCP Dup ACK 836#1] 49937 > https [ACK] Seq=3204 Ack=82315 Win=62336 Len=0 TSV=71252 TSER=250366701
192.040756 84.42.128.227 -> 10.11.0.3 TCP 49937 > https [ACK] Seq=3204 Ack=89515 Win=63808 Len=0 TSV=71258 TSER=250366703
192.040849 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
192.040860 10.11.0.3 -> 84.42.128.227 TLS Application Data,
192.040871 10.11.0.3 -> 84.42.128.227 TLS Application Data, Application Data, Application Data,
192.040882 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
192.040990 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
192.041114 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
192.042424 209.200.130.14 -> 10.11.0.3 TCP 2703 > 35156 [SYN, ACK] Seq=0 Ack=1 Win=5792 Len=0 MSS=1460 TSV=1710681409 TSER=250366692 WS=6
192.043270 10.11.0.3 -> 209.200.130.14 TCP 35156 > 2703 [ACK] Seq=1 Ack=1 Win=5840 Len=0 TSV=250366706 TSER=1710681409
192.047519 84.42.128.227 -> 10.11.0.3 TCP 49937 > https [ACK] Seq=3204 Ack=93835 Win=59456 Len=0 TSV=71259 TSER=250366704
192.047609 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
192.047621 10.11.0.3 -> 84.42.128.227 TLS Application Data, Application Data
192.053055 10.11.0.3 -> 84.42.128.227 TLS Application Data, Application Data,
192.053077 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
192.053466 84.42.128.227 -> 10.11.0.3 TCP [TCP Dup ACK 850#1] 49937 > https [ACK] Seq=3204 Ack=93835 Win=59456 Len=0 TSV=71259 TSER=250366704
192.059917 84.42.128.227 -> 10.11.0.3 TCP 49937 > https [ACK] Seq=3204 Ack=96715 Win=63808 Len=0 TSV=71264 TSER=250366705
192.059991 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
192.060003 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
192.060014 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
192.066365 84.42.128.227 -> 10.11.0.3 TCP 49937 > https [ACK] Seq=3204 Ack=105055 Win=64128 Len=0 TSV=71266 TSER=250366706
192.066457 10.11.0.3 -> 84.42.128.227 TLS Application Data, Application Data, Application Data, Application Data,
192.066468 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
192.066480 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
192.066491 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
192.066597 10.11.0.3 -> 84.42.128.227 TLS Application Data, Application Data, Application Data
192.072301 84.42.128.227 -> 10.11.0.3 TCP 49937 > https [ACK] Seq=3204 Ack=107935 Win=62016 Len=0 TSV=71268 TSER=250366707
192.078747 84.42.128.227 -> 10.11.0.3 TCP 49937 > https [ACK] Seq=3204 Ack=110815 Win=63808 Len=0 TSV=71269 TSER=250366707
192.080559 66.151.150.35 -> 10.11.0.3 TCP 2703 > 51749 [RST, ACK] Seq=138 Ack=30 Win=5792 Len=0 TSV=2490450304 TSER=250366691
192.085571 84.42.128.227 -> 10.11.0.3 TCP 49937 > https [ACK] Seq=3204 Ack=116575 Win=63808 Len=0 TSV=71272 TSER=250366708
192.091730 84.42.128.227 -> 10.11.0.3 TCP 49937 > https [ACK] Seq=3204 Ack=119308 Win=63808 Len=0 TSV=71273 TSER=250366708
192.098355 84.42.128.227 -> 10.11.0.3 TCP [TCP Dup ACK 870#1] 49937 > https [ACK] Seq=3204 Ack=119308 Win=63808 Len=0 TSV=71273 TSER=250366708
192.185738 209.200.130.14 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
192.186506 10.11.0.3 -> 209.200.130.14 TCP 35156 > 2703 [ACK] Seq=1 Ack=37 Win=5840 Len=0 TSV=250366720 TSER=1710681423
192.186859 10.11.0.3 -> 209.200.130.14 TCP [TCP segment of a reassembled PDU]
192.319642 209.200.130.14 -> 10.11.0.3 TCP 2703 > 35156 [ACK] Seq=37 Ack=26 Win=5760 Len=0 TSV=1710681437 TSER=250366720
192.320361 10.11.0.3 -> 209.200.130.14 TCP [TCP segment of a reassembled PDU]
192.453354 209.200.130.14 -> 10.11.0.3 TCP 2703 > 35156 [ACK] Seq=37 Ack=106 Win=5760 Len=0 TSV=1710681450 TSER=250366733
192.478660 209.200.130.14 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
192.479910 10.11.0.3 -> 209.200.130.14 TCP [TCP segment of a reassembled PDU]
192.480048 10.11.0.3 -> 209.200.130.14 TCP 35156 > 2703 [FIN, ACK] Seq=111 Ack=58 Win=5840 Len=0 TSV=250366749 TSER=1710681453
192.487322 10.11.0.3 -> 142.27.70.214 DCCP Request: No-Op
192.487347 10.11.0.3 -> 136.161.101.6 DCCP Request: No-Op
192.487361 10.11.0.3 -> 194.228.41.13 DCCP Request: No-Op
192.487373 10.11.0.3 -> 192.84.137.21 DCCP Request: No-Op
192.487385 10.11.0.3 -> 80.69.8.186 DCCP Request: No-Op
192.487398 10.11.0.3 -> 136.199.199.102 DCCP Request: No-Op
192.487410 10.11.0.3 -> 208.201.249.233 DCCP Request: No-Op
192.487422 10.11.0.3 -> 194.228.41.73 DCCP Request: No-Op
192.487434 10.11.0.3 -> 152.20.253.5 DCCP Request: No-Op
192.487446 10.11.0.3 -> 194.119.212.6 DCCP Request: No-Op
192.487458 10.11.0.3 -> 203.81.36.6 DCCP Request: No-Op
192.491569 194.228.41.13 -> 10.11.0.3 DCCP Response: Ok
192.493153 194.228.41.73 -> 10.11.0.3 DCCP Response: Ok
192.508954 136.199.199.102 -> 10.11.0.3 DCCP Response: Ok
192.517631 80.69.8.186 -> 10.11.0.3 DCCP Response: Ok
192.534350 192.84.137.21 -> 10.11.0.3 DCCP Response: Ok
192.557457 194.119.212.6 -> 10.11.0.3 DCCP Response: Ok
192.597256 136.161.101.6 -> 10.11.0.3 DCCP Response: Ok
192.612729 209.200.130.14 -> 10.11.0.3 TCP 2703 > 35156 [RST, ACK] Seq=58 Ack=112 Win=5760 Len=0 TSV=1710681466 TSER=250366749
192.621636 152.20.253.5 -> 10.11.0.3 DCCP Response: Ok
192.668439 208.201.249.233 -> 10.11.0.3 DCCP Response: Ok
192.681545 142.27.70.214 -> 10.11.0.3 DCCP Response: Ok
192.885960 203.81.36.6 -> 10.11.0.3 DCCP Response: Ok
193.739336 84.42.128.227 -> 10.11.0.3 TLS Application Data
193.739515 10.11.0.3 -> 84.42.128.227 TCP https > 49936 [ACK] Seq=78888 Ack=3770 Win=15184 Len=0 TSV=250366875 TSER=71766
193.878353 124.190.211.64 -> 10.11.0.3 TCP 62215 > smtp [FIN, ACK] Seq=1142 Ack=167 Win=17355 Len=0
193.887681 10.11.0.3 -> 124.190.211.64 TCP smtp > 62215 [ACK] Seq=167 Ack=1143 Win=8272 Len=0
193.942012 10.11.0.3 -> 84.42.128.227 TLS Application Data, Application Data,
193.942030 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
193.942042 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
193.963843 84.42.128.227 -> 10.11.0.3 TCP 49936 > https [ACK] Seq=3770 Ack=83208 Win=63808 Len=0 TSV=71834 TSER=250366895
193.964061 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
193.964076 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
193.964088 10.11.0.3 -> 84.42.128.227 TLS Application Data,
193.964101 10.11.0.3 -> 84.42.128.227 TLS Application Data, Application Data, Application Data,
193.970660 84.42.128.227 -> 10.11.0.3 TCP [TCP Dup ACK 911#1] 49936 > https [ACK] Seq=3770 Ack=83208 Win=63808 Len=0 TSV=71834 TSER=250366895
193.990048 84.42.128.227 -> 10.11.0.3 TCP 49936 > https [ACK] Seq=3770 Ack=88968 Win=62336 Len=0 TSV=71841 TSER=250366898
193.990125 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
193.990138 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
193.990149 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
193.990160 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
193.990270 10.11.0.3 -> 84.42.128.227 TLS Application Data, Application Data, Application Data, Application Data,
193.993015 84.42.128.227 -> 10.11.0.3 TCP [TCP Dup ACK 917#1] 49936 > https [ACK] Seq=3770 Ack=88968 Win=62336 Len=0 TSV=71841 TSER=250366898
194.011372 84.42.128.227 -> 10.11.0.3 TCP 49936 > https [ACK] Seq=3770 Ack=96168 Win=59456 Len=0 TSV=71849 TSER=250366900
194.011451 84.42.128.227 -> 10.11.0.3 TCP [TCP Dup ACK 924#1] 49936 > https [ACK] Seq=3770 Ack=96168 Win=59456 Len=0 TSV=71849 TSER=250366900
194.011484 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
194.011495 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
194.011506 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
194.011517 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
194.011624 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
194.011746 10.11.0.3 -> 84.42.128.227 TLS Application Data, Application Data, Application Data, Application Data,
194.038758 84.42.128.227 -> 10.11.0.3 TCP 49936 > https [ACK] Seq=3770 Ack=101928 Win=63808 Len=0 TSV=71855 TSER=250366902
194.038850 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
194.038862 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
194.038873 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
194.038884 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
194.038991 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
194.046502 84.42.128.227 -> 10.11.0.3 TCP 49936 > https [ACK] Seq=3770 Ack=104808 Win=63808 Len=0 TSV=71856 TSER=250366902
194.046551 84.42.128.227 -> 10.11.0.3 TCP [TCP Dup ACK 938#1] 49936 > https [ACK] Seq=3770 Ack=104808 Win=63808 Len=0 TSV=71856 TSER=250366902
194.046636 10.11.0.3 -> 84.42.128.227 TLS Application Data, Application Data, Application Data, Application Data,
194.046647 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
194.046658 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
194.064345 84.42.128.227 -> 10.11.0.3 TCP 49936 > https [ACK] Seq=3770 Ack=113448 Win=63808 Len=0 TSV=71865 TSER=250366905
194.064420 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
194.064432 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
194.064442 10.11.0.3 -> 84.42.128.227 TLS Application Data, Application Data, Application Data, Application Data,
194.064454 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
194.064561 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
194.064683 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
194.064806 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
194.069480 84.42.128.227 -> 10.11.0.3 TCP [TCP Dup ACK 943#1] 49936 > https [ACK] Seq=3770 Ack=113448 Win=63808 Len=0 TSV=71865 TSER=250366905
194.079114 84.42.128.227 -> 10.11.0.3 TCP 49936 > https [ACK] Seq=3770 Ack=119208 Win=64128 Len=0 TSV=71870 TSER=250366908
194.079206 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
194.079218 10.11.0.3 -> 84.42.128.227 TLS Application Data, Application Data, Application Data, Application Data,
194.079229 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
194.079240 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
194.079347 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
194.085207 84.42.128.227 -> 10.11.0.3 TCP 49936 > https [ACK] Seq=3770 Ack=124968 Win=64128 Len=0 TSV=71872 TSER=250366908
194.085310 10.11.0.3 -> 84.42.128.227 TCP [TCP segment of a reassembled PDU]
194.085321 10.11.0.3 -> 84.42.128.227 TLS Application Data, Application Data, Application Data
194.091447 84.42.128.227 -> 10.11.0.3 TCP [TCP Dup ACK 958#1] 49936 > https [ACK] Seq=3770 Ack=124968 Win=64128 Len=0 TSV=71872 TSER=250366908
194.114220 84.42.128.227 -> 10.11.0.3 TCP 49936 > https [ACK] Seq=3770 Ack=135433 Win=63808 Len=0 TSV=71877 TSER=250366910
194.120557 84.42.128.227 -> 10.11.0.3 TCP [TCP Dup ACK 962#1] 49936 > https [ACK] Seq=3770 Ack=135433 Win=63808 Len=0 TSV=71877 TSER=250366910
197.755907 84.42.128.227 -> 10.11.0.3 TCP [TCP segment of a reassembled PDU]
-----------------------------------------------
84.42.128.227 jsem já
10.11.0.3 je vnější adresa serveru
A něco ze Snortu:
#0-(3-105289) [snort] (portscan) Open Port: 2703
2007-08-25 14:12:24 10.11.0.3 209.200.130.14 Raw IP
#1-(3-105288) [snort] (portscan) Open Port: 2703
2007-08-25 14:12:24 10.11.0.3 209.200.130.14 Raw IP
#2-(3-105287) [snort] (portscan) Open Port: 2703
2007-08-25 14:12:23 10.11.0.3 209.200.130.14 Raw IP
#3-(3-105286) [snort] (portscan) Open Port: 2703
2007-08-25 14:12:23 10.11.0.3 209.200.130.14 Raw IP
#4-(3-105285) [snort] (portscan) Open Port: 2703
2007-08-25 14:12:23 10.11.0.3 209.200.130.14 Raw IP
#5-(3-105284) [snort] (portscan) Open Port: 2703
2007-08-25 14:12:23 10.11.0.3 209.200.130.14 Raw IP
#6-(3-105283) [snort] (portscan) Open Port: 2703
2007-08-25 14:12:23 10.11.0.3 209.200.130.14 Raw IP
#7-(3-105282) [snort] (portscan) Open Port: 2703
2007-08-25 14:12:23 10.11.0.3 66.151.150.12 Raw IP
#8-(3-105281) [snort] (portscan) Open Port: 2703
2007-08-25 14:12:23 10.11.0.3 66.151.150.12 Raw IP
#9-(3-105280) [snort] (portscan) Open Port: 2703
2007-08-25 14:12:23 10.11.0.3 66.151.150.12 Raw IP
#10-(3-105279) [snort] (portscan) Open Port: 2703
2007-08-25 14:12:22 10.11.0.3 66.151.150.12 Raw IP
#11-(3-105278) [snort] (portscan) Open Port: 2703
2007-08-25 14:12:22 10.11.0.3 66.151.150.12 Raw IP
#12-(3-105277) [snort] (portscan) Open Port: 2703
2007-08-25 14:12:22 10.11.0.3 209.200.130.14 Raw IP
#13-(3-105276) [snort] (portscan) Open Port: 2703
2007-08-25 14:12:22 10.11.0.3 209.200.130.14 Raw IP
#14-(3-105275) [snort] (portscan) Open Port: 2703
2007-08-25 14:12:22 10.11.0.3 209.200.130.14 Raw IP
#15-(3-105274) [snort] (portscan) Open Port: 2703
2007-08-25 14:12:22 10.11.0.3 209.200.130.14 Raw IP
#16-(3-105273) [snort] (portscan) Open Port: 2703
2007-08-25 14:12:22 10.11.0.3 209.200.130.14 Raw IP
#17-(3-105272) [snort] (portscan) Open Port: 2703
2007-08-25 14:12:22 10.11.0.3 66.151.150.12 Raw IP
#18-(3-105271) [snort] (portscan) Open Port: 2703
2007-08-25 14:12:21 10.11.0.3 66.151.150.12 Raw IP
#19-(3-105270) [snort] (portscan) Open Port: 2703
2007-08-25 14:12:21 10.11.0.3 66.151.150.12 Raw IP
#20-(3-105269) [snort] (portscan) Open Port: 2703
2007-08-25 14:12:21 10.11.0.3 66.151.150.12 Raw IP
#21-(3-105268) [snort] (portscan) Open Port: 2703
2007-08-25 14:12:21 10.11.0.3 66.151.150.12 Raw IP
#22-(3-105267) [snort] (portscan) Open Port: 2703
2007-08-25 14:09:24 10.11.0.3 209.200.130.14 Raw IP
#23-(3-105266) [snort] (portscan) Open Port: 2703
2007-08-25 14:09:24 10.11.0.3 209.200.130.14 Raw IP
#24-(3-105265) [snort] (portscan) Open Port: 2703
2007-08-25 14:09:23 10.11.0.3 209.200.130.14 Raw IP
#25-(3-105264) [snort] (portscan) Open Port: 2703
2007-08-25 14:09:23 10.11.0.3 209.200.130.14 Raw IP
#26-(3-105263) [snort] (portscan) Open Port: 2703
2007-08-25 14:09:23 10.11.0.3 209.200.130.14 Raw IP
#27-(3-105262) [snort] (portscan) Open Port: 2703
2007-08-25 14:09:23 10.11.0.3 66.151.150.35 Raw IP
#28-(3-105261) [snort] (portscan) Open Port: 2703
2007-08-25 14:09:23 10.11.0.3 66.151.150.35 Raw IP
#29-(3-105260) [snort] (portscan) Open Port: 2703
2007-08-25 14:09:23 10.11.0.3 66.151.150.35 Raw IP
#30-(3-105259) [snort] (portscan) Open Port: 2703
2007-08-25 14:09:23 10.11.0.3 66.151.150.35 Raw IP
#31-(3-105258) [snort] (portscan) Open Port: 2703
2007-08-25 14:09:23 10.11.0.3 66.151.150.35 Raw IP
#32-(3-105257) [snort] (portscan) Open Port: 2703
2007-08-25 14:09:22 10.11.0.3 209.200.130.14 Raw IP
#33-(3-105256) [snort] (portscan) Open Port: 2703
2007-08-25 14:09:22 10.11.0.3 209.200.130.14 Raw IP
#34-(3-105255) [snort] (portscan) Open Port: 2703
2007-08-25 14:09:22 10.11.0.3 209.200.130.14 Raw IP
#35-(3-105254) [snort] (portscan) Open Port: 2703
2007-08-25 14:09:22 10.11.0.3 209.200.130.14 Raw IP
#36-(3-105253) [snort] (portscan) Open Port: 2703
2007-08-25 14:09:22 10.11.0.3 209.200.130.14 Raw IP
#37-(3-105252) [snort] (portscan) Open Port: 2703
2007-08-25 14:09:22 10.11.0.3 66.151.150.12 Raw IP
#38-(3-105251) [snort] (portscan) Open Port: 2703
2007-08-25 14:09:22 10.11.0.3 66.151.150.12 Raw IP
#39-(3-105250) [snort] (portscan) Open Port: 2703
2007-08-25 14:09:22 10.11.0.3 66.151.150.12 Raw IP
#40-(3-105249) [snort] (portscan) Open Port: 2703
2007-08-25 14:09:21 10.11.0.3 66.151.150.12 Raw IP
#41-(3-105248) [snort] (portscan) Open Port: 2703
2007-08-25 14:09:21 10.11.0.3 66.151.150.12 Raw IP
#42-(3-105247) [snort] (portscan) Open Port: 2703
2007-08-25 14:08:16 10.11.0.3 209.200.130.14 Raw IP
#43-(3-105246) [snort] (portscan) Open Port: 2703
2007-08-25 14:08:16 10.11.0.3 209.200.130.14 Raw IP
#44-(3-105245) [snort] (portscan) Open Port: 2703
2007-08-25 14:08:16 10.11.0.3 209.200.130.14 Raw IP
#45-(3-105244) [snort] (portscan) Open Port: 2703
2007-08-25 14:08:15 10.11.0.3 209.200.130.14 Raw IP
#46-(3-105243) [snort] (portscan) Open Port: 2703
2007-08-25 14:08:15 10.11.0.3 209.200.130.14 Raw IP
#47-(3-105242) [snort] (portscan) Open Port: 2703
2007-08-25 14:08:15 10.11.0.3 66.151.150.12 Raw IP
Jakub
-
Mno, já tam tedy nic podezřelého nevidím.
Pokud by to byl opravdu nějaký útok nebo port scan, tak by tam podle mě bylo daleko víc pokusů o navázání spojení a s např. nesmyslně nastavenými příznaky...
Možná by ještě pomohlo, kdyby jste napsal, co za služby na tom serveru běží atp.
btw - nechcete dát ty výpisy do tagu "code", ať nemusíme tolik scrollovat?
-
Ano, do tagu "code" jsem to dát mohl :)
Běží tam toho velmi mnoho: Squid, Postfix, Spamassassin, ClamAV, Courier IMAP, Apache, MySQL, Samba, DHCP server.
Jakub
-
Ale ti vsichni maji "well known" porty, takze lehce najdete co a jak. Pokud jde o porty uz navazanych spojeni, bezne otevrene prece nejsou, nebo jo?
-
Ono se to neidentifikuje tak snadno. Spoje dovnitř jsou jasné, tam má všechno dolních 1024 portů a přesné číslo je pro každou službu jasné. Horší jsou spoje ven. Třeba SpamAssassin používá vzdálené testy a provádí tak při běžné práci spoustu spojů ven. Nicméně z toho co je v logu Tetherealu to opravdu vypadá na vzdálené testy SpamAssassinu. Pokusím se najít příslušné pravidlo Snortu a zjistit, kde je problém.
Díky všem za rady.
Jakub