server bucato
ciao, poco tempo fa mi č stato bucato un server...
non potendo reinstallarlo, almeno per il momento, volevo trovare un mdo per tappare i vari buchi.
Ho installato snort oggi e questo č il primo risultato:
Premetto che 192.168.3.9 č la macchina in questione..
tutte le alre sono cmq locali... domani capirņ quali...
grazie
esempio
/var/log/snort/alert
[**] [1:648:4] SHELLCODE x86 NOOP [**]
[Classification: Executable code was detected] [Priority: 1]
11/05-20:15:24.333343 192.168.3.175:1026 -> 192.168.3.9:139
TCP TTL:128 TOS:0x0 ID:5512 IpLen:20 DgmLen:1500 DF
***A**** Seq: 0xBAB0515D Ack: 0x8C180816 Win: 0x43A1 TcpLen: 20
[Xref => http://www.whitehats.com/info/IDS181]
snort-stat
The log begins from: 11 05 16:58:30
The log ends at: 11 05 20:15:24
Total events: 88
Signatures recorded: 8
Source IP recorded: 6
Destination IP recorded: 3
Portscan recorded: 4
The number of attacks from same host to same
destination using same method
=========================================================================
# of
attacks from to method
=========================================================================
59 192.168.3.175 192.168.3.9 SHELLCODE x86 NOOP
10 192.168.3.254 192.168.3.9 WEB-CGI calendar access
9 192.168.3.128 192.168.3.9 ICMP Destination Unreachable (Port Unreachable)
2 192.168.3.9 192.168.3.128 ICMP Echo Reply
2 192.168.3.154 192.168.3.9 NETBIOS Samba clientaccess
2 192.168.3.9 192.168.3.148 ICMP Echo Reply
2 192.168.3.128 192.168.3.9 ICMP PING *NIX
1 192.168.3.148 192.168.3.9 ICMP PING NMAP
1 192.168.3.148 192.168.3.9 ICMP L3retriever Ping
Percentage and number of attacks from a host to a
destination
============================================================
# of
% attacks from to
============================================================
67.05 59 192.168.3.175 192.168.3.9
12.50 11 192.168.3.128 192.168.3.9
11.36 10 192.168.3.254 192.168.3.9
2.27 2 192.168.3.148 192.168.3.9
2.27 2 192.168.3.9 192.168.3.128
2.27 2 192.168.3.9 192.168.3.148
2.27 2 192.168.3.154 192.168.3.9
Percentage and number of attacks from one host to any
with same method
==============================================================
# of
% attacks from method
==============================================================
67.05 59 192.168.3.175 SHELLCODE x86 NOOP
11.36 10 192.168.3.254 WEB-CGI calendar access
10.23 9 192.168.3.128 ICMP Destination Unreachable (Port Unreachable)
4.55 4 192.168.3.9 ICMP Echo Reply
2.27 2 192.168.3.128 ICMP PING *NIX
2.27 2 192.168.3.154 NETBIOS Samba clientaccess
1.14 1 192.168.3.148 ICMP L3retriever Ping
1.14 1 192.168.3.148 ICMP PING NMAP
Percentage and number of attacks to one certain host
=================================================================
# of
% attacks to method
=================================================================
67.05 59 192.168.3.9 SHELLCODE x86 NOOP
11.36 10 192.168.3.9 WEB-CGI calendar access
10.23 9 192.168.3.9 ICMP Destination Unreachable (Port Unreachable)
2.27 2 192.168.3.9 ICMP PING *NIX
2.27 2 192.168.3.128 ICMP Echo Reply
2.27 2 192.168.3.148 ICMP Echo Reply
2.27 2 192.168.3.9 NETBIOS Samba clientaccess
1.14 1 192.168.3.9 ICMP L3retriever Ping
1.14 1 192.168.3.9 ICMP PING NMAP
The distribution of attack methods
===============================================
# of
% attacks method
===============================================
67.05 59 SHELLCODE x86 NOOP
59 192.168.3.175 -> 192.168.3.9
11.36 10 WEB-CGI calendar access
10 192.168.3.254 -> 192.168.3.9
10.23 9 ICMP Destination Unreachable (Port Unreachable)
9 192.168.3.128 -> 192.168.3.9
4.55 4 ICMP Echo Reply
2 192.168.3.9 -> 192.168.3.128
2 192.168.3.9 -> 192.168.3.148
2.27 2 NETBIOS Samba clientaccess
2 192.168.3.154 -> 192.168.3.9
2.27 2 ICMP PING *NIX
2 192.168.3.128 -> 192.168.3.9
1.14 1 ICMP PING NMAP
1 192.168.3.148 -> 192.168.3.9
1.14 1 ICMP L3retriever Ping
1 192.168.3.148 -> 192.168.3.9
Portscans performed to/from HOME_NET
===================================
# of
attacks from
===================================
4 192.168.3.9
--
La teoria e' quando si sa tutto ma non funziona niente.
La pratica e' quando funziona tutto ma non si sa il perche'.
In ogni caso si finisce sempre a coniugare la teoria con la
pratica : non funziona niente e non si sa il perche'.
Albert Einstein
Reply to: