today I receive an email with this message from the WHM.
ctive System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
May 23 07:05:17 jorge portsentry[952]: attackalert: Connect from host: 195.246.158.102/195.246.158.102 to TCP port: 111
May 23 07:05:17 jorge portsentry[952]: attackalert: Host 195.246.158.102 has been blocked via wrappers with string: "ALL: 195.246.158.102"
May 23 07:05:17 jorge portsentry[952]: attackalert: Host 195.246.158.102 has been blocked via dropped route using command: "/sbin/route add -host 195.246.158.102 gw 127.0.0.1"
May 23 07:05:17 jorge portsentry[952]: attackalert: Connect from host: 195.246.158.102/195.246.158.102 to TCP port: 111
May 23 07:05:17 jorge portsentry[952]: attackalert: Host: 195.246.158.102 is already blocked. Ignoring
May 23 14:17:03 jorge portsentry[952]: attackalert: Connect from host: 212.29.115.155/212.29.115.155 to TCP port: 1080
May 23 14:17:03 jorge portsentry[952]: attackalert: Host 212.29.115.155 has been blocked via wrappers with string: "ALL: 212.29.115.155"

Security Violations
=-=-=-=-=-=-=-=-=-=
May 23 04:37:43 jorge named[1160]: bad referral (net !< yahoo.com) from [216.32.74.10].53
May 23 04:37:43 jorge named[1160]: bad referral (net !< yahoo.com) from [204.71.200.33].53
May 23 07:05:17 jorge portsentry[952]: attackalert: Connect from host: 195.246.158.102/195.246.158.102 to TCP port: 111
May 23 07:05:17 jorge portsentry[952]: attackalert: Host 195.246.158.102 has been blocked via wrappers with string: "ALL: 195.246.158.102"
May 23 07:05:17 jorge portsentry[952]: attackalert: Host 195.246.158.102 has been blocked via dropped route using command: "/sbin/route add -host 195.246.158.102 gw 127.0.0.1"
May 23 18:03:20 jorge named[13099]: bad referral (net !< yahoo.com) from [204.71.200.33].53
May 23 18:03:20 jorge named[13099]: bad referral (net !< yahoo.com) from [216.32.74.10].53
May 23 19:13:23 jorge named[13099]: bad referral (net !< yahoo.com) from [204.71.200.33].53
May 23 19:13:23 jorge named[13099]: bad referral (net !< yahoo.com) from [216.32.74.10].53
May 23 21:28:28 jorge named[13099]: bad referral (net !< yahoo.com) from [216.32.74.10].53
May 23 21:28:28 jorge named[13099]: bad referral (net !< yahoo.com) from [204.71.200.33].53
May 24 01:22:00 jorge named[13099]: bad referral (122.74.216.in-addr.arpa !< 2.122.74.216.in-addr.arpa) from [216.74.122.26].53
May 24 01:22:00 jorge named[13099]: bad referral (122.74.216.in-addr.arpa !< 2.122.74.216.in-addr.arpa) from [216.74.122.26].53

Can anybody explain me what is happening?
My server was under a hack attack?
Thanks in advance and please excuse me for a so long message

Looks to me like someone set their alarms in "rediculously paranoid" mode. I can't see anything there beyond routine probes. (ie, someone was walking down a street looking at houses to see if anyone left their front door wide open).

Unless someone else can see something there that I can't, I'd say just ignore it.

Originally posted by cperciva
Looks to me like someone set their alarms in "rediculously paranoid" mode. I can't see anything there beyond routine probes. (ie, someone was walking down a street looking at houses to see if anyone left their front door wide open).

Unless someone else can see something there that I can't, I'd say just ignore it.

Yep, I agree entirely.
I hate Portsentry. Anything which can drop routes and add rules to hosts.deny is just scary.
Spoofed syn scan from your dns servers, you can't resolve names anymore - spoofed scan from your own IP address, you can't login anymore!

Jedito: Just ensure you're not running portmapper, and you're not running rpc.statd, since that's probably what they were looking for.

Regards,
Vince.

Mmmm... ..Vince.. I have no Idea how to know that :P
Can you please tell me how can I see that?

This is almost certainly a Cpanel3 machine, so just run /scripts/quicksecure and that'll stop any services you shouldn't be running from a default RH6.2 install.

Otherwise, you can do ps ax | grep statd; ps ax | grep portmap - If either are running, kill them and remove their init scripts from /etc/rc.d/rc3.d

Regards,
Vince.

I Kill portmap in that way
Kill -1 (pid number)
and I can't locate portmap in that run level.
Did I do it well? :cartman:

I would not run portsentry on a production server. Just lock down the server. As already mentioned, properly constructed scans can really cause havoc.

I do not know if the latest versions of portsentry can detect IP spoofing; I think earlier versions would succumb to IP spoof attacks, which if cleverly created could shut down your external routes, thus nailing your server and locking you out.

On a production server, run only what you need, e.g. http, ssh, ftp, telnet, etc. Close every service and port that you do not need -- I find most hackers are script kiddies looking for a quick way in -- if they can't find it, they move on.

I had a similar problem today and followed Vince's instructions all now seems to be OK... I hope.

Anyway I also found statd.8.gz and portmap.8 in /usr/man/man8 should these be deleted also?

I know this is an old post but any help would be appreciated.

thanks

I would recommend using portsentry. After a server is hacked thinking about it is no use.
I have seen clients get angry when a server is down... Tell them that it was hacked and they'd leave you.
Portsentry is a safe bet. Removing certain IP's from the hosts.deny is not very difficult. It's doesn't stop the servers. Also spofing is not a very good thing. So I do not see any reason why we should do that. If we are not doing anything wrong ourselves then I'm sure portsentry would not block us.... :)

Anyway, this is just a personal opinion. ....

Have a great day :)

regards
amar

Lets assume for a second, I have the IP address of one of your machines.
Lets also assume I'm a malicious cracker.
I've tried to hack your machine, and found no vulnerabilities. I'm upset, because you looked like a decent hack. I decide I'll take your machine down.

My easiest way of doing so?
nmap -S ip.of.your.router -e eth0 -sS your.machines.ip

The only way you can get back into your machine is by rebooting it so that the routes PortSentry dropped are flushed. Oh, lets also hope you're using SSH, and that SSH isn't reading hosts to deny from hosts.deny. Because if it is?

nmap -S your.own.ip -e eth0 -sS your.machines.ip

Now you're locked out too!
Thats a little too easy if you ask me... Makes much more sense to kill PortSentry. :)

Vince.

Originally posted by Vince
I decide I'll take your machine down.

My easiest way of doing so?
nmap -S ip.of.your.router -e eth0 -sS your.machines.ip



Of course, any reasonably sane person would have instructed portsentry not to take action against "attacks" from such IPs.

While I agree that portsentry shouldn't be used as some kind of shield against unknown attacks, it can still be a useful tool. If you don't make it drop routes to everything that appears slightly suspicious it'll make you aware of the usual scans and activity, which is good.

Agreed, however, it isn't always immediately obvious which IP's would cause problems when blocked.
What about the hop before your router? Or the one before that? It depends on your configuration, of course, but you tend to find that people using PortSentry (when they've installed it themselves) aren't exactly the Aleth1 of security. So these situations are more common than you might think.
Not to mention, PortSentry comes enabled by default on all Cpanel machines, with a very poor configuration!

Now... If you do want to be notified about such scans, which is definately a good thing, take a look at: http://freshmeat.net/projects/iplog

iplog not only notifies you of scans and such, but it also does so without opening the port. It can also monitor ports that other services are already bound to. Also, it's default configuration is much more sane. Infact... I think I'll email Nick and see if I can't get him to switch Cpanel to iplog. :)

Vince.

Originally posted by Vince
Agreed, however, it isn't always immediately obvious which IP's would cause problems when blocked.
What about the hop before your router? Or the one before that? It depends on your configuration, of course, but you tend to find that people using PortSentry (when they've installed it themselves) aren't exactly the Aleth1 of security.

That's true, and I'll agree that having portsentry installed by default is very likely unwise. I had no idea Cpanel did that.

I got a similar error message to the thread starter, but portsentry was NOT tripped. I've got a few hundred lines of bad referral errors...
Any idea what's causing it??

Originally posted by Vince
but you tend to find that people using PortSentry (when they've installed it themselves) aren't exactly the Aleth1 of security.

Vince.

:eek: Not exactly sure what "Aleth1" means, but does that mean that people who install portsentry don't know as much about security as, say, someone who had it pre-installed with something like cpanel? But point taken, a lot of people (often me included) do have their security systems misconfigured.

I think running a logging portsentry configuration (maybe dropping TCP scans, as those are more than likely not spoofed), with a snort/acid installation (which is arguably one of the best IDS out there), Tripwire, and chkrootkit will ease the mind of many a system administrator. You obviously can't quash every would be attack to your box, but you sure don't want that one hacker that does get through to ruin your clients experience with your web hosting company.

Regards,

Jeff