Saw this in my messages file today.. attack alert. Haven't seen one of these before. It seems to be okay. not sure. Could someone explain what happened here?

Nov 29 19:00:16 localhost portsentry[21114]: attackalert: Connect from host: alin1.yerphi.am/212.42.192.71 to TCP port: 111
Nov 29 19:00:16 localhost portsentry[21114]: attackalert: Host 212.42.192.71 has been blocked via wrappers with string: "ALL: 212.42.192.71"
Nov 29 19:00:16 localhost portsentry[21114]: attackalert: Host 212.42.192.71 has been blocked via dropped r oute using command: "/sbin/route add -host 212.42.192.71 reject"
Nov 29 19:00:17 localhost portsentry[21114]: attackalert: Connect from host: alin1.yerphi.am/212.42.192.71 to TCP port: 111
Nov 29 19:00:17 localhost portsentry[21114]: attackalert: Host: 212.42.192.71 is already blocked. Ignoring
Nov 29 19:12:21 localhost portsentry[21114]: attackalert: Connect from host: 212.27.165.66/212.27.165.66 to TCP port: 111
Nov 29 19:12:21 localhost portsentry[21114]: attackalert: Host 212.27.165.66 has been blocked via wrappers with string: "ALL: 212.27.165.66"
Nov 29 19:12:21 localhost portsentry[21114]: attackalert: Host 212.27.165.66 has been blocked via dropped r oute using command: "/sbin/route add -host 212.27.165.66 reject"
Nov 29 19:12:21 localhost portsentry[21114]: attackalert: Connect from host: 212.27.165.66/212.27.165.66 to TCP port: 111
Nov 29 19:12:21 localhost portsentry[21114]: attackalert: Host: 212.27.165.66 is already blocked. Ignoring
Nov 29 19:29:00 localhost -- MARK --


------------------
Help me I'm Harvey!

The dude was looking for an open port into Sun's portmapping services on 110. This happens here maybe 10 times a week. Nothing to be concerned about, really, portsentry did just what you installed it for, and the "looker" was repelled.
Ray


------------------
ray@raymondjones.net
HTTP://www.raymondjones.net

how do you knwo that he was looking for that specific thing on port 110?

doesn't the line...

TCP port: 111

indicate that he was looking for something on that port? 111?

I did a trace on that IP. It shows that 212.42.192.71 came from Yerevan,Armenia. While 212.27.165.66 came from Basel, Switzerland. Although portsentry caught it like it was designed to. I would keep an eye out on these. Take it from me, the webserver I maintain at work was almost comprimised from somebody in Singapore. They kept trying over the weekend when I was at home taking it easy. Came monday morning I was relieved that my firewall and portsentry was working while I was taking it easy. Just with that one instance I learned that you can never be to careful or over parinoid.

Good work on scoping and checking you sys log files.

Sokertes

How did you do the trace on the ip? I'd love to know how to do that http://www.linuxnewbie.org/ubb/smile.gif

Ahhh, Harvey, sorry, that's a mistype from the King of Typos. 111 is the portmapper services, I mistyped 110, which is, of course, pop3. To see what these "knob rattlers" are looking for, try this:
grep 111 /etc/services
That will get you what he was trying to find. To trace them back, do a whois on them, and a dig, (read those man pages) and you can find his DNS box, then use it with nslookup and an ls- d will dump their entire network. HOWEVER, bear in mind that A: A lot of this is spoofed. B: Many of these guys are already in a compromised machine, and are coming from an innocent persons computer, NOT their own, at all.
Ray

Oh, BTW, here's a handy thing:
My portsentry uses the word attack in the logs, and that's the only thing that does. SO.....
grep attack /var/log/messages
can be put in a script named "attack" and you will get a weeks worth of attacks every time you ask for it. Then the logs rotate, and you start over.
------------------
ray@raymondjones.net HTTP://www.raymondjones.net

[This message has been edited by posterboy (edited 01 December 2000).]

I did the trace on my win machine with an app called VisualRoute. It maps out the traveled hops for the given IP# and gives you info on what company, dns, location, all kinds of cool stuff. I beleive you can find it at www.download.com (http://www.download.com) or even at www.tucows.com (http://www.tucows.com) . I use it on my win machine due to I can't find anything for nix that is comparable or can give such valueable info. It's not a free app but there is a crack for it. But you didn't here it from me http://www.linuxnewbie.org/ubb/wink.gif

Sokertes

[This message has been edited by Sokertes (edited 01 December 2000).]