From: Andreas Höschler (ahoesch@smartsoft.de)
Date: Mon Aug 27 2007 - 07:01:38 EDT
Dear managers,
it was stated that a telnet attack was started from a Solaris 10
machine I am responsible for. I doubt that. However, I got the
following log file:
Event Date Time, Destination IP, IP Protocol, Target Port, Issue
Description, Source Port, Event Count
EventRecord: 26 Aug 2007 02:26:37, 199.17.x.x, 6, 23, Telnet
, 50593, 1
EventRecord: 26 Aug 2007 02:26:27, 199.17.x.x, 6, 23, Telnet
, 50331, 2
EventRecord: 26 Aug 2007 02:26:17, 199.17.x.x, 6, 23, Telnet
, 50064, 2
EventRecord: 26 Aug 2007 02:26:07, 199.17.x.x, 6, 23, Telnet
, 49797, 2
EventRecord: 26 Aug 2007 02:25:57, 199.17.x.x, 6, 23, Telnet
, 49530, 2
EventRecord: 26 Aug 2007 02:25:50, 199.17.x.x, 6, 23, Telnet
, 49264, 1
EventRecord: 26 Aug 2007 02:25:47, 199.17.x.x, 6, 23, Telnet
, 49264, 1
EventRecord: 26 Aug 2007 02:25:40, 199.17.x.x, 6, 23, Telnet
, 49001, 1
EventRecord: 26 Aug 2007 02:25:37, 199.17.x.x, 6, 23, Telnet
, 49001, 1
EventRecord: 26 Aug 2007 02:25:27, 199.17.x.x, 6, 23, Telnet
, 48740, 2
EventRecord: 26 Aug 2007 02:25:17, 199.17.x.x, 6, 23, Telnet
, 48483, 2
EventRecord: 26 Aug 2007 02:25:07, 199.17.x.x, 6, 23, Telnet
, 48216, 2
EventRecord: 26 Aug 2007 02:24:57, 199.17.x.x, 6, 23, Telnet
, 47948, 2
...
Now I am sure that no legitimate user has been on this machine at this
time. I have blocked outgoing traffic on port 23 in the meanwhile.
However, I would like to either prove that the above record is
wrong/faked (not really coming from my machine) or find out which
process did that and who has started it. Since I am more a developer
than a sysadmin I am rather clueless what to do now. The machine is
running ipfilter.
ipmon -an
seems to give me an overview of the traffic that is going on. But I of
course see no current attempts to access any machine on port 23. Can I
configure ipfilter to give me the processId of the process that is
initiating outgoing traffic? What other tools can I use to figure out
what was going on yesterday night? The machine can be reached via ssh
(inbound), all other ports are blocked.
Hints are greatly appreciated!
Thanks a lot in advance!
Regards,
Andreas
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers
This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:42:15 EDT