[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Portsentry Logs.

Subject: Re: [cobalt-users] Portsentry Logs.
From: flash22@xxxxxxx
Date: Sat Feb 24 03:21:03 2001
List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>

On Tue, 20 Feb 2001, Jim Hagani wrote:

> Hi all,
> 
> My RAQ3i was hacked yesterday, after restoring OS, I installed Portsentry,
> and Since then I am getting this huge log with these 3 IP addresses only,
> trying to connect to port 67. The log shows an attempt every 2-10 seconds.
> These are not my IPs. Is this a hacker? What should I do?
> 
> Feb 20 05:56:27 ns portsentry[1086]: attackalert: Connect from host:
> ws001.pegasuscomputers.net/64.65.18.10 to UDP port: 67
> Feb 20 05:56:27 ns portsentry[1086]: attackalert: Host: 64.65.18.10 is
> already blocked. Ignoring
> Feb 20 05:56:37 ns portsentry[1086]: attackalert: Connect from host:
> mail.pegasuscomputers.net/64.65.18.114 to UDP port: 67
> Feb 20 05:56:37 ns portsentry[1086]: attackalert: Host: 64.65.18.114 is
> already blocked. Ignoring

heh, well, i'm as confused as you now, bootp client requests are
occasionally just misconfigurations, however this machine is running
windows NT so i doubt it ;) doesn't have any obvious holes...

you could mention it to noc@xxxxxxxxxxxxxxxxxxxx , the IP belones to
them..(Best guess is it has a forged source address tho, and someone is
playing..)

[none of these machines are listening on any port that reasonably could
get back a reply from you so it doesn't seem like it's really from those
machines]

gsh

References:
- [cobalt-users] Portsentry Logs.
  - From: Jim Hagani

Prev by Date: [cobalt-users] CGI Script wwwcount2.5
Next by Date: [cobalt-users] Syslog script
Previous by thread: [cobalt-users] Portsentry Logs.
Next by thread: [cobalt-users] How do I set logs up to my preferences on RAQ 3?

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index