> Hello to everyone. Hi, diddly doo! The scans are looking for open-shares via netbios. "IN=ppp0" is the interface on your network is configured to use. You're either using dialup or a DSL modem. "SPT=XXX" is the orginating port from the attacker. "DPT=XXX" is the port that is being scanned on your server. In your case it is port 137 which is a port on netbios. > Oct 7 20:59:16 Linolio kernel: IN=ppp0 OUT= MAC= SRC=64.172.120.252 > DST=200.67.218.219 LEN=78 TOS=0x00 PREC=0x00 TTL=113 ID=50988 PROTO=UDP > SPT=1025 DPT=137 LEN=58 > Oct 7 21:03:32 Linolio kernel: IN=ppp0 OUT= MAC= SRC=61.99.136.75 > DST=200.67.218.219 LEN=78 TOS=0x00 PREC=0x00 TTL=107 ID=63978 PROTO=UDP > SPT=1027 DPT=137 LEN=58 > Oct 7 21:04:46 Linolio kernel: IN=ppp0 OUT= MAC= SRC=210.178.168.234 > DST=200.67.218.219 LEN=78 TOS=0x00 PREC=0x00 TTL=106 ID=54964 PROTO=UDP > SPT=1026 DPT=137 LEN=58 > Oct 7 21:05:46 Linolio kernel: IN=ppp0 OUT= MAC= SRC=210.221.225.151 > DST=200.67.218.219 LEN=78 TOS=0x00 PREC=0x00 TTL=111 ID=6399 PROTO=UDP > SPT=1026 DPT=137 LEN=58 > Oct 7 21:06:05 Linolio kernel: IN=ppp0 OUT= MAC= SRC=163.180.21.160 > DST=200.67.218.219 LEN=78 TOS=0x00 PREC=0x00 TTL=106 ID=4819 PROTO=UDP > SPT=1043 DPT=137 LEN=58 > > Also I get these in Apache's access_log: > > 218.4.59.220 - - [06/Oct/2002:22:44:49 -0600] "GET > / > default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN > NNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u90 > 90%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u00 > 78%u0000%u00=a HTTP/1.0" 400 352 > pd9ebef87.dip.t-dialin.net - - [07/Oct/2002:00:54:18 -0600] "HEAD / > HTTP/1.0" 200 0 > ixde7561-90.pool.007mundo.com - - [07/Oct/2002:03:39:00 -0600] "GET > /scripts/root.exe?/c+dir HTTP/1.0" 404 310 > ixde7561-90.pool.007mundo.com - - [07/Oct/2002:03:39:02 -0600] "GET > /MSADC/root.exe?/c+dir HTTP/1.0" 404 308 > ixde7561-90.pool.007mundo.com - - [07/Oct/2002:03:39:04 -0600] "GET > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 318 > > The origin IP changes all the time. I'm a little worried about the > security of my server. It seems that somebody is trying to get access > through the web server but using Windows commands :-D (hahaha) > But my concern is about the messages log, I don't know how to interpret > the log and I'm afraid that someone is trying to brake in. > > Could somebody guide me and tell me what to do in order to make sure my > server is secure? > Thank you very much. > > - Joaquin! > > ------------------------------------------------------------------------ > To unsubscribe email security-discuss-request@linuxsecurity.com > with "unsubscribe" in the subject of the message. > -- duane 'People demand freedom of speech to make up for the freedom of thought which they avoid.' - Kierkegaard http://www.linuxsecurity.com/feature_stories/feature_story-116.html http://www.linuxsecurity.com/feature_stories/dsniff-monitoring.html -- Updated Version http://www.linuxsecurity.com/feature_stories/feature_story-89.html http://www.linuxsecurity.com/feature_stories/feature_story-88.html ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
