Security Question

From: Paul Speck (paul.speckat_private)
Date: Wed Oct 24 2001 - 15:57:30 PDT

Next message: Ed Shirley: "NC_S_ISLCK Group Added"

Previous message: Portnoy, Gary: "RE: Odd traffic generated from Exchange Server"
Next in thread: Hoyt Plunkett: "RE: Security Question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I am attaching log files whichshow  two days of attack and then an IP Spoof.
Is this an indication of a successful access of our Red Hat 7.1 Linux
machine?  The Firewall manufacture (SonicWall) says no, but I am not sure of
that.  The MAC address is our Linux box.  On the IP Spoof, neither Source
nor Destination are on our LAN.
  

10/20/2001 08:12:46.160 - Possible Port Scan - Source:209.195.200.206,
53744, WAN - Destination:208.26.184.xxx, 5579, LAN - - 

10/20/2001 08:12:58.304 - Striker Attack Dropped - Source:209.195.200.206,
55387, WAN - Destination:208.26.184.xxx, 2565, WAN - - 

10/20/2001 08:13:00.368 - Sub Seven Attack Dropped - Source:209.195.200.206,
55653, WAN - Destination:208.26.184.xxx, 1243, WAN - - 

10/20/2001 08:13:06.592 - Ini Killer Attack Dropped -
Source:209.195.200.206, 56491, WAN - Destination:208.26.184.xxx, 9989, WAN -
- 

10/20/2001 08:13:32.208 - Ripper Attack Dropped - Source:209.195.200.206,
59280, WAN - Destination:208.26.184.xxx, 2023, WAN - - 

10/20/2001 08:14:38.816 - Net Spy Attack Dropped - Source:209.195.200.206,
65247, WAN - Destination:208.26.184.xxx, 1024, WAN - -


10/21/2001 06:44:32.640 - Probable Port Scan - Source:202.219.52.137, 3162,
WAN - Destination:208.26.184.xxx, 908, LAN - - 

10/21/2001 06:45:29.288 - Sub Seven Attack Dropped - Source:202.219.52.137,
3619, WAN - Destination:208.26.184.xxx, 6711, WAN - - 

10/21/2001 06:45:30.000 - Ripper Attack Dropped - Source:202.219.52.137,
3764, WAN - Destination:208.26.184.xxx, 2023, WAN - - 

10/21/2001 06:45:40.400 - Striker Attack Dropped - Source:202.219.52.137,
1841, WAN - Destination:208.26.184.xxx, 2565, WAN - - 

10/21/2001 06:45:41.176 - Net Spy Attack Dropped - Source:202.219.52.137,
2002, WAN - Destination:208.26.184.xxx, 1024, WAN - - 

10/21/2001 06:45:43.176 - Ini Killer Attack Dropped - Source:202.219.52.137,
2438, WAN - Destination:208.26.184.xxx, 9989, WAN - - 

10/21/2001 06:48:15.352 - Back Orifice Attack Dropped -
Source:202.219.52.137, 2220, WAN - Destination:208.26.184.xxx, 31337, WAN -
- 

10/21/2001 06:48:44.032 - NetBus Attack Dropped - Source:202.219.52.137,
4238, WAN - Destination:208.26.184.xxx, 12345, WAN - - 

10/21/2001 06:49:14.368 - Priority Attack Dropped - Source:202.219.52.137,
2770, WAN - Destination:208.26.184.xxx, 16969, WAN - - 

10/21/2001 07:38:20.544 - IP spoof detected - Source:194.153.255.99, 8, LAN
- Destination:192.117.189.191, 8, WAN - MAC address: 00.06.5B.1A.1E.EB - 

Paul
 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Ed Shirley: "NC_S_ISLCK Group Added"
Previous message: Portnoy, Gary: "RE: Odd traffic generated from Exchange Server"
Next in thread: Hoyt Plunkett: "RE: Security Question"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 24 2001 - 16:00:03 PDT