Can someone tell me what kind of an attack this is? It's causing a cpu load of 74% to portsentry, most of this evening.

Of course NO reply from Burst.net support phone line, don't answer phone, ticket open :-(


PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME COMMAND
970 root 19 0 528 528 448 R 74.7 0.2 174:01 portsentry
555 root 13 0 600 600 500 R 24.5 0.2 52:12 syslogd



Jul 7 01:56:18 apollo portsentry[970]: attackalert: Possible stealth scan from unknown host to TCP port: 32771
(accept failed)

Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Jul 7 01:01:25 apollo last message repeated 919232 times
Jul 7 01:02:25 apollo last message repeated 921940 times
Jul 7 01:03:27 apollo last message repeated 925141 times
Jul 7 01:04:27 apollo last message repeated 921767 times
Jul 7 01:05:01 apollo last message repeated 507257 times
Jul 7 01:05:01 apollo portsentry[970]: attackalert: Possible stealth scan from unknown host to TCP port: 32771
(accept failed)
Jul 7 01:05:02 apollo last message repeated 8242 times
Jul 7 01:05:02 apollo portsentry[970]: attackalert: Possible stealth scan from unknown host to TCP port: 32771
(accept failed)

Looks like your portsentry is caving in on itself. Best bet is to kill it off and restart it, since it's known to do that from time to time.

I would suggest just removing port 32771 from /etc/portsentry/portsentry.conf and restart it if its causing this big of a load.

Originally posted by Brad
Jul 7 01:01:25 apollo last message repeated 919232 times

Wow. If that's real, someone is sending a *huge* number of packets at you. More likely it's a bug, since I don't know why anyone would send so many packets to that port. (AFAIK TCP/32771 is only ever used for RPC on Solaris).

Quite likely someone did send a packet at you on that port, since there seem to be bots about which test for vulnerabilities there, but portsentry probably went berserk for some reason after that.

This ****ing server has been under attack every single day at Burst.net. It's totally amazing!! I mean really persistant attacks, they have been trying like crazy since I was rooted last week on this new server. It's a friggin horror story ..



Originally posted by cperciva


Wow. If that's real, someone is sending a *huge* number of packets at you. More likely it's a bug, since I don't know why anyone would send so many packets to that port. (AFAIK TCP/32771 is only ever used for RPC on Solaris).

Quite likely someone did send a packet at you on that port, since there seem to be bots about which test for vulnerabilities there, but portsentry probably went berserk for some reason after that.

Whats the portsentry restart command, anyone know?

The packets being "logged" would be a constant stream of at least 5Mbps. Possible... but if that's correct you've got bigger problems than the load on portsentry.

You would be amazed. Each day, most, if not all servers (and it doesn't have to be on Burst's network) get attacked because some kiddies have nothing better to do with their time. I don't think I have had a day when I didn't receive at least 10 emails from each on of our servers that have been attacked.

Such is life.

/etc/rc.d/init.d/portsentry {start|stop|restart|reload|condrestart|status}

I get about that on mine alone each day ...

Originally posted by WeinBar
You would be amazed. Each day, most, if not all servers (and it doesn't have to be on Burst's network) get attacked because some kiddies have nothing better to do with their time. I don't think I have had a day when I didn't receive at least 10 emails from each on of our servers that have been attacked.

Such is life.

Thank you Annette!!

That did the trick it looks like ..

I'll keep my eye on it .


Originally posted by Annette
/etc/rc.d/init.d/portsentry {start|stop|restart|reload|condrestart|status}

Yes, I wonder what caused it, sure brought this thing to a halt !

I look at the logs and I see no ip address sending to that port, funny thing it just shows "unknown host". Usually there is an IP address given during an attack ..



Originally posted by cperciva


Wow. If that's real, someone is sending a *huge* number of packets at you. More likely it's a bug, since I don't know why anyone would send so many packets to that port. (AFAIK TCP/32771 is only ever used for RPC on Solaris).

Quite likely someone did send a packet at you on that port, since there seem to be bots about which test for vulnerabilities there, but portsentry probably went berserk for some reason after that.

Originally posted by WeinBar
You would be amazed. Each day, most, if not all servers (and it doesn't have to be on Burst's network) get attacked because some kiddies have nothing better to do with their time. I don't think I have had a day when I didn't receive at least 10 emails from each on of our servers that have been attacked.


Attacks are one thing. I see somewhere around 10 port scans each day; another 10 probes bounce each day are targeted to the two IP addresses (out of a /28) which are in use, and then of course there's the 2-3 idiots each day who try to login/ftp with obviously bogus user names and passwords. I no longer bother to report all these, although I have very complete logs. (BTW, the numbers above are based on unique source IPs).

5Mbps packet floods are quite a separate matter, however. Sending a 5Mbps packet flood isn't an attempt to break into a server; it's simply an attempt to shut it down. And said packet floods are expensive; 5Mbps = 2GB of packets each day.

However l4m3 skr1pt k1dd13s (or whatever) are getting these days I can't seem them sending 5Mbps floods randomly or very often at all.

Brad, I've seen the same thing on one of our boxes. There was no attack - it was just a figment of portsentry's hyperactive imagination, and exhibited the same behavior as the snip you listed above. Once killed and restarted, it was fine.

Originally posted by Annette
There was no attack - it was just a figment of portsentry's hyperactive imagination

AI :eek:

Originally posted by cperciva

However l4m3 skr1pt k1dd13s (or whatever) are getting these days I can't seem them sending 5Mbps floods randomly or very often at all.

That's the correct way of writing lame script kiddies in haX0r.

Possibly and from everything I've gathered I would agree, it seems then portsentry makes a pretty good attack itself. :stickout

I contacted the authors and sent them the report, hopefully they can work it out and or fix it, nothing like a security script bringing down your server.


Originally posted by Annette
Brad, I've seen the same thing on one of our boxes. There was no attack - it was just a figment of portsentry's hyperactive imagination, and exhibited the same behavior as the snip you listed above. Once killed and restarted, it was fine.

Ok,

This just came in from the Portsentry developer, it's a confirmed bug in the script.

Quote:

It's a bug in the -tcp and -udp modes for portsentry. An update is being released Monday or Tuesday. Sorry for the problem. The stealth modes don't
suffer from this issue.

-- Craig