[Cialug] Odd log entries on RH7.2 box
David Champion
cialug@cialug.org
Mon, 06 Dec 2004 10:59:26 -0600
Is that system all patched up? Is RH 7.2 still even supported? Might be
time to update.
While no system is totally secure, something as old as RH 7.2 probably
has a significantly greater chance of being exploitable.
If you haven't already, I'd check for evidence of an intrusion - i.e.
run chkrootkit, run "rpm -Va"...
-dc
timwilson011@mchsi.com wrote:
> I was looking through my logs, and I noticed some odd entries. I am seeing many
> ACCEPTed entries from ipchains (over 800 this week) in /var/log/messages. The
> source ports are 0, 3, 8, 11, and 12. The dest ports are 0, 1, 3, or 13. I've
> looked up these ports at iana.org, but it says port 0, 8, and 12 are reserved or
> unassigned (the dest ports of 1 and 13 are tcpmux and daytime). I don't have
> anything running on these ports. For the ones trying to connect to port 0, all
> but 43 came from one of 2 addresses, both of these addresses belong to yahoo.com
> (for example, UNKNOWN-217-146-185-137.yahoo.com). It seems odd to me there
> would be access on these ports, especially port 0. I'm curious if I need to
> block any of the dest ports being hit. Anyone have any ideas, suggestions, or
> comments? Why would these ports be accessed?
>
> --
> Tim W.
> _______________________________________________
> Cialug mailing list
> Cialug@cialug.org
> http://cialug.org/mailman/listinfo/cialug
>