I checked my logs today and found an attack.

attackalert: SYN/Normal scan from host: rdu88-246-099.nc.rr.com/24.88.246.99 to TCP port: 6667
attackalert: Host 24.88.246.99 has been blocked via wrappers with string: "ALL: 24.88.246.99"
attackalert: Host 24.88.246.99 has been blocked via dropped route using command: "/sbin/ipchains -I input -s 24.88.246.99 -j DENY -l"

This is the first that I have seen and would just like a little advice on what happened. Especially the line "SYN/Normal scan from host:..."

Thanx

------------------
Its a jeep thing... You wouldn't understand.

The port shown is a standard IRC server port - could it have been your ISP looking to see if you are/were running a server?

That is what I was hoping someone here could tell me. So how would scanning an IRC port reveal that I am running a server? It seems like portsentry did its job.

------------------
Its a jeep thing... You wouldn't understand.

Well, is it your ISP, first of all?

It could be someone who typed in the wrong address the first time as well. Don't get paranoid after the first time something like this happens.. just be aware of it :}

I think that it was my ISP which is RR. I am by no means paranoid but the server has only been up like 5 days. This was the first attack alert I have seen so I was just curious what to take out of what I saw in the log.

Thanx

Zach

------------------
Its a jeep thing... You wouldn't understand.

I have RR here, also. I have never (yet) seen them scan for chat servers. They love to poke around in my sendmail, running relay tests to see if I am open to that evil. I run SSH, and Apache, and pop servers,and they find them all. Not a word is said to me about it. Normally the scanners are deliberately revealed, something like rr.sec.va. something I mean it's all open and above board, not the least bit sneaky. The security folks are all in Virginia, and this is where the scanners are run from. If they pop me on 21, which is closed, portsentry will bar them from any further monkeying around. They don't mind, as they will be back later in the week. A normal week here, I will have my doorknob rattled, maybe 10 times. One of these will be from RR. Try this:
grep attack /var/log/messages
Put that in a script named attack. You will get a week's worth of attacks, the logs will rotate, and you start another week.
Ray

------------------
ray@raymondjones.net HTTP://www.raymondjones.net


[This message has been edited by posterboy (edited 06 December 2000).]

[This message has been edited by posterboy (edited 06 December 2000).]

Newbie here so I dont know how to put that in a script. Could you please be a little more specific for me.

Do you believe that I was scanned by someone other than RR?? Not worried but I am just wondering.

Thanx,

Zach

------------------
Its a jeep thing... You wouldn't understand.

No, it was certainly a RR address, that's not in doubt, certainly in doubt is that it was a RR security scan. That person had a North Carolina addy, makes me think it was A. A mistyped effort to get into a chat server. B. A scan over a range of IP's for an open chat server. Remember that often, the IP addy for these folks is NOT really their addy. They often scan from an already compromised box, somewhere. OK, the script.
Get an editor and create this:
grep attack /var/log/messages
Name this one-line file "attack".
Next chmod +x attack
Now, make sure it works, with ./attack
Put this in your path, somewhere, maybe /usr/bin
To run it, just type "attack" and you will get all the attacks repelled for this week. I do less /var/log/secure, lastb last and lastlog on a nearly daily basis, also. HTH, Ray


------------------
ray@raymondjones.net HTTP://www.raymondjones.net

[This message has been edited by posterboy (edited 07 December 2000).]