[Cialug] Odd log entries on RH7.2 box
Dave J. Hala Jr.
cialug@cialug.org
Mon, 06 Dec 2004 13:40:05 -0600
Its too bad we can't get updates for RH 7.2 and 9.0, those were *great*
distros.
<whimper><whimper>
On Mon, 2004-12-06 at 10:59, David Champion wrote:
> Is that system all patched up? Is RH 7.2 still even supported? Might be
> time to update.
>
> While no system is totally secure, something as old as RH 7.2 probably
> has a significantly greater chance of being exploitable.
>
> If you haven't already, I'd check for evidence of an intrusion - i.e.
> run chkrootkit, run "rpm -Va"...
>
> -dc
>
> timwilson011@mchsi.com wrote:
> > I was looking through my logs, and I noticed some odd entries. I am seeing many
> > ACCEPTed entries from ipchains (over 800 this week) in /var/log/messages. The
> > source ports are 0, 3, 8, 11, and 12. The dest ports are 0, 1, 3, or 13. I've
> > looked up these ports at iana.org, but it says port 0, 8, and 12 are reserved or
> > unassigned (the dest ports of 1 and 13 are tcpmux and daytime). I don't have
> > anything running on these ports. For the ones trying to connect to port 0, all
> > but 43 came from one of 2 addresses, both of these addresses belong to yahoo.com
> > (for example, UNKNOWN-217-146-185-137.yahoo.com). It seems odd to me there
> > would be access on these ports, especially port 0. I'm curious if I need to
> > block any of the dest ports being hit. Anyone have any ideas, suggestions, or
> > comments? Why would these ports be accessed?
> >
> > --
> > Tim W.
> > _______________________________________________
> > Cialug mailing list
> > Cialug@cialug.org
> > http://cialug.org/mailman/listinfo/cialug
> >
>
>
> _______________________________________________
> Cialug mailing list
> Cialug@cialug.org
> http://cialug.org/mailman/listinfo/cialug
--
Open Source Information Systems (OSIS)
Dave J. Hala Jr. <dave@osis.us>
641.485.1606