[Cialug] Odd log entries on RH7.2 box
cialug@cialug.org
cialug@cialug.org
Mon, 06 Dec 2004 23:28:07 +0000
I've done some more digging, and solved at least part of the mystery. I did a
ping from work, checked my logs, and I got 4 log entries (1 for each ping
packet) with a source port of 8 and a dest port of 0. So most of the entries
are pings. I'm still trying to figure out why 2 addresses within Yahoo would be
pinging my box so much, and over such a large period of time. Since the logs
rotated yesterday morning, I have 82 entries in my logs from these 2 addresses
(217.146.185.136 and 217.146.185.137). Each time an entry appears, there's
usually 2 or 3 total entries at or about the same time, from the same address.
Anyone have any thoughts?
--
Tim W.
> I did do a YUM update off of fedoralegacy.org back in August (and nothing has
> been updated on that site since then for 7.2). RH 7.2 is no longer supported by
> RH or fedoralegacy. I plan on upgrading, but my copious free time isn't as free
> as it used to be. :-)
>
> I ran chkrootkit with no problems. Good idea on running "rpm -Va". It reported
> some missing files and some other files where size and MD5 checksum doesn't
> match. So far, those look OK (updates), but I'll need to investigate more.
>
> My plan to upgrade was to go to FC2, however I'm wondering if it would be better
> for me to do a YUM upgrade to 7.3, and then later go to the latest FC release.
> Thoughts?
>
> --
> Tim W.
> > Is that system all patched up? Is RH 7.2 still even supported? Might be
> > time to update.
> >
> > While no system is totally secure, something as old as RH 7.2 probably
> > has a significantly greater chance of being exploitable.
> >
> > If you haven't already, I'd check for evidence of an intrusion - i.e.
> > run chkrootkit, run "rpm -Va"...
> >
> > -dc
> >
> > timwilson011@mchsi.com wrote:
> > > I was looking through my logs, and I noticed some odd entries. I am seeing
> > many
> > > ACCEPTed entries from ipchains (over 800 this week) in /var/log/messages.
> The
> > > source ports are 0, 3, 8, 11, and 12. The dest ports are 0, 1, 3, or 13.
> > I've
> > > looked up these ports at iana.org, but it says port 0, 8, and 12 are
> reserved
> > or
> > > unassigned (the dest ports of 1 and 13 are tcpmux and daytime). I don't
> have
> > > anything running on these ports. For the ones trying to connect to port 0,
> > all
> > > but 43 came from one of 2 addresses, both of these addresses belong to
> > yahoo.com
> > > (for example, UNKNOWN-217-146-185-137.yahoo.com). It seems odd to me there
> > > would be access on these ports, especially port 0. I'm curious if I need to
> > > block any of the dest ports being hit. Anyone have any ideas, suggestions,
> or
> > > comments? Why would these ports be accessed?
> > >
> > > --
> > > Tim W.
> > > _______________________________________________
> > > Cialug mailing list
> > > Cialug@cialug.org
> > > http://cialug.org/mailman/listinfo/cialug
> > >
> >
> >
> > _______________________________________________
> > Cialug mailing list
> > Cialug@cialug.org
> > http://cialug.org/mailman/listinfo/cialug
> _______________________________________________
> Cialug mailing list
> Cialug@cialug.org
> http://cialug.org/mailman/listinfo/cialug