[logs] syslog data from nessus scan

• Previous message: Tevfik Karagulle: "Re: [logs] Secure Central Log Host"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I'm getting ready to put an OpenBSD box on the net.  I've just installed
OBSD 3.2, enabled Apache, and done very little else to it.  We ran a
Nessus scan and were somewhat surprised to discover that it's running
ident.  I was even more surprised -- and >>completely<< delighted -- so
see that inetd and ident recorded a whole lot of unauthorized connection
attempt messages in syslog when it got hit with the scan:

Dec  3 18:38:16 bettiepage inetd[20239]: accept (for time): Software caused connection abort
Dec  3 18:38:16 bettiepage inetd[20239]: accept (for ftp): Software caused connection abort
Dec  3 18:38:16 bettiepage inetd[20239]: accept (for ident): Software caused connection abort
Dec  3 18:39:12 bettiepage identd[5128]: scanf: invalid-port(s): 0 , 0 from netops-26.Stanford.EDU
Dec  3 18:39:12 bettiepage identd[29996]: scanf: invalid-port(s): 0 , 0 from netops-26.Stanford.EDU
Dec  3 18:39:12 bettiepage identd[13377]: scanf: invalid-port(s): 0 , 0 from netops-26.Stanford.EDU
Dec  3 18:39:12 bettiepage identd[1804]: scanf: invalid-port(s): 0 , 0 from netops-26.Stanford.EDU
Dec  3 18:39:21 bettiepage identd[15689]: scanf: invalid-port(s): 0 , 0 from netops-26.Stanford.EDU
Dec  3 18:39:23 bettiepage identd[31692]: read from netops-26.Stanford.EDU: EOF
Dec  3 18:39:41 bettiepage identd[7624]: scanf: invalid-port(s): 0 , 0 from netops-26.Stanford.EDU
Dec  3 18:39:41 bettiepage identd[4088]: scanf: invalid-port(s): 0 , 0 from netops-26.Stanford.EDU
Dec  3 18:39:41 bettiepage identd[18061]: scanf: invalid-port(s): 0 , 0 from netops-26.Stanford.EDU
Dec  4 17:12:53 bettiepage inetd[20239]: accept (for time): Software caused connection abort
Dec  4 17:12:53 bettiepage inetd[20239]: accept (for ftp): Software caused connection abort
Dec  4 17:12:53 bettiepage inetd[20239]: accept (for ident): Software caused connection abort
Dec  4 17:13:55 bettiepage identd[4717]: scanf: invalid-port(s): 0 , 0 from netops-26.Stanford.EDU
Dec  4 17:13:55 bettiepage identd[15209]: scanf: invalid-port(s): 0 , 0 from netops-26.Stanford.EDU
Dec  4 17:14:00 bettiepage identd[16074]: read from netops-26.Stanford.EDU: EOF
Dec  4 17:14:00 bettiepage identd[13534]: scanf: invalid-port(s): 0 , 0 from netops-26.Stanford.EDU
Dec  4 17:14:10 bettiepage identd[25838]: scanf: invalid-port(s): 0 , 0 from netops-26.Stanford.EDU
Dec  4 17:14:11 bettiepage identd[9691]: read from netops-26.Stanford.EDU: EOF
Dec  4 17:14:26 bettiepage identd[29770]: scanf: invalid-port(s): 0 , 0 from netops-26.Stanford.EDU
Dec  4 17:14:26 bettiepage identd[18091]: scanf: invalid-port(s): 0 , 0 from netops-26.Stanford.EDU
Dec  4 17:14:26 bettiepage identd[3823]: scanf: invalid-port(s): 0 , 0 from netops-26.Stanford.EDU

Okay, so I'm easily amused.  But I'm pretty used to >not< seeing log data
that I expect to see.  Having data show up that I don't expect is a lovely
change of pace!

cheers -- tbird

_______________________________________________
LogAnalysis mailing list
LogAnalysisat_private
http://lists.shmoo.com/mailman/listinfo/loganalysis

• Next message: Tom Perrine: "Re: [logs] Secure Central Log Host"
• Previous message: Tevfik Karagulle: "Re: [logs] Secure Central Log Host"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Dec 04 2002 - 17:43:56 PST