snort log has a bunch of different attacks - should I be worried
Hello,
I have been running a server for a few months now for a hobby site and
had installed snort. I have reports of a whole range of attacks on the
server IP including
The distribution of attack methods
===============================================
# of
% attacks method
===============================================
32.23 39 SCAN Proxy attempt
11.57 14 WEB-CGI finger access
8.26 10 WEB-MISC long basic authorization string
6.61 8 WEB-CGI redirect access
5.79 7 WEB-CGI tcsh access
5.79 7 STEALTH ACTIVITY (nmap XMAS scan) detection {TCP}
5.79 7 INFO - Possible Squid Scan
4.13 5 WEB-IIS scripts access
4.13 5 BAD TRAFFIC tcp port 0 traffic
3.31 4 WEB-MISC count.cgi access
Which of these should I be worried about. Also, some of these scans seem
to be going *out*. Has this box beeen compromised ? If so, how do I go
about tracking the compromise. I have a firewall running on this machine
with the following config (modified to remove irrelevant stuff). eth0 is
the external interface and eth1 the internal.
ganesh:/home/shri# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
block all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
block all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain block (2 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp
dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:www
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW
DROP all -- anywhere anywhere
ganesh:/home/shri# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
If this is not the right place to ask, I would very much appreciate if
someone could point me in the right direction.
Any and all info appreciated.
Thanks for your time.
Shri
--
------------------------------------------------------------------------
Shri Shrikumar U R Byte Solutions
I.T. Consultant Edinburgh, Scotland Tel: (0131) 558 9990
Email: shri@urbyte.com Web: www.urbyte.com
Reply to: