Presentation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


Hello to everyone.

This is my first post in this list and let me introduce myself.
My name is Joaquin Durand. I've installed a PC with RedHat 7.2 in order  
to experiment and learn a little. I have little experience with unix  
systems.

So far everything is OK with my RedHat server, I successfully installed  
IP Masquerade following the instructions in the "Linux IP Masquerade  
HOWTO" and I'm sharing my DSL with a Mac and a Windows PC.

Since then, I'm getting constantly these in the messages log:

Oct  7 20:59:16 Linolio kernel: IN=ppp0 OUT= MAC= SRC=64.172.120.252  
DST=200.67.218.219 LEN=78 TOS=0x00 PREC=0x00 TTL=113 ID=50988 PROTO=UDP  
SPT=1025 DPT=137 LEN=58
Oct  7 21:03:32 Linolio kernel: IN=ppp0 OUT= MAC= SRC=61.99.136.75  
DST=200.67.218.219 LEN=78 TOS=0x00 PREC=0x00 TTL=107 ID=63978 PROTO=UDP  
SPT=1027 DPT=137 LEN=58
Oct  7 21:04:46 Linolio kernel: IN=ppp0 OUT= MAC= SRC=210.178.168.234  
DST=200.67.218.219 LEN=78 TOS=0x00 PREC=0x00 TTL=106 ID=54964 PROTO=UDP  
SPT=1026 DPT=137 LEN=58
Oct  7 21:05:46 Linolio kernel: IN=ppp0 OUT= MAC= SRC=210.221.225.151  
DST=200.67.218.219 LEN=78 TOS=0x00 PREC=0x00 TTL=111 ID=6399 PROTO=UDP  
SPT=1026 DPT=137 LEN=58
Oct  7 21:06:05 Linolio kernel: IN=ppp0 OUT= MAC= SRC=163.180.21.160  
DST=200.67.218.219 LEN=78 TOS=0x00 PREC=0x00 TTL=106 ID=4819 PROTO=UDP  
SPT=1043 DPT=137 LEN=58

Also I get these in Apache's access_log:

218.4.59.220 - - [06/Oct/2002:22:44:49 -0600] "GET  
/ 
default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN 
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN 
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN 
NNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90 
90%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00 
78%u0000%u00=a  HTTP/1.0" 400 352
pd9ebef87.dip.t-dialin.net - - [07/Oct/2002:00:54:18 -0600] "HEAD /  
HTTP/1.0" 200 0
ixde7561-90.pool.007mundo.com - - [07/Oct/2002:03:39:00 -0600] "GET  
/scripts/root.exe?/c+dir HTTP/1.0" 404 310
ixde7561-90.pool.007mundo.com - - [07/Oct/2002:03:39:02 -0600] "GET  
/MSADC/root.exe?/c+dir HTTP/1.0" 404 308
ixde7561-90.pool.007mundo.com - - [07/Oct/2002:03:39:04 -0600] "GET  
/c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 318

The origin IP changes all the time. I'm a little worried about the  
security of my server. It seems that somebody is trying to get access  
through the web server but using Windows commands  :-D  (hahaha)
But my concern is about the messages log, I don't know how to interpret  
the log and I'm afraid that someone is trying to brake in.

Could somebody guide me and tell me what to do in order to make sure my  
server is secure?
Thank you very much.

- Joaquin!

------------------------------------------------------------------------
     To unsubscribe email security-discuss-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.
[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux