Hacked??

[RoryJMcKenna]

Apr 23 17:47:42 MY_IP:3383 -> 216.40.33.60:443 SYN ******S*
Apr 23 17:47:46 MY_IP:3386 -> 216.40.33.60:443 SYN ******S*
Apr 23 17:47:54 MY_IP:3386 -> 216.40.33.60:443 SYN ******S*
Apr 23 17:48:37 MY_IP:3389 -> 207.68.173.249:80 SYN ******S*

My portscan.log file is full of these mostly port 80 and 443.... I may be asking a NoBrainer question here..are these just regular web requests from my network..Or is something inside my network infected and scanning out??

also I am noticing a lot of these...A user on my network installed a program containing a Trojan recently but it has since been cleaned up...I would like to know the source of these scans
spp_portscan: portscan status from MY_IP: 138 connections across 1 hosts: TCP(138), UDP(0)

 

[RoryJMcKenna]

...Ran out of space...

Any info on how I can find out what is going on here would be greatly appreciated...I don't want to rebuild my whole network

Steps I have taken are:
-nmap all boxes on my network
-Virus scans(windoze) and chkrootkit (for the Linux server)
-Rebuilt the problem machine....Cahnged all passwd's for everything.

 

[itsteveg]

Couple of questions, is this a firewall/router box that handles your networks' NAT?
have you tried to tcpdump to a file and look at the packets to see if they are valid requests or just syn flooding?

if that's an exact log then it's not likely to be a syn flood it's too slow for that, are you running any services on there that are vulnerable? In this case it could be the SSL exploit trying to replicate itself. if you run apache and mod_ssl on that box I would double check if you patched it.

 

[RoryJMcKenna]

The Firewall is A Smoothwall 2.0 Beta..It just runs snort..I have some ports forwarded to my internal boxes...PCAnywhere Remote Desktop....And sendmail, pop3, apache, and ssh on my Linux box. No I don't run mod_ssl And yes that is a snippit out of the log.

about the tcpdump..could you expand on that. How?

And what about this ...It's just one of the many I pulled out of my snort log.
spp_portscan: portscan status from MY_IP: 138 connections across 1 hosts: TCP(138), UDP(0)

 

[RoryJMcKenna]

I am running a tcpdump on my box now.

This is something interesting that I found though. (I am postive that I do not Run mod_ssl)

64.231.70.112 - - [24/Apr/2003:21:40:38 -0400] "GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXu9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 200 - "-" "-"
I was under the impression that Slapper only affects systems running openSSL

 

[PcLinuxGuru]

Looks like you looking at Kazaa or some other p2p software... Ran into some of that the other day that displayed similar results.

 

[RoryJMcKenna]

[**] [1:1425:6] WEB-PHP content-disposition [**]
[Classification: Web Application Attack] [Priority: 1]
04/21-19:05:02.350371 > l/l len: 0 l/l type: 0x200 0:0:0:0:0:0
pkt type:0x4 proto: 0x800 len:0x413
MY_IP:1341 -> 64.4.14.250:80 TCP TTL:127 TOS:0x0 ID:5374 IpLen:20 DgmLen:1027 DF
***AP*** Seq: 0xC8D9B902 Ack: 0x27645E8A Win: 0xFDB8 TcpLen: 20
[Xref =>

http://www.securityfocus.com/bid/4183

]

Looks like Slapper worm to me!