[ale] port sentry gone mad
Marc Vogt
mtv at theor.chemistry.gatech.edu
Thu Mar 29 18:42:48 EST 2001
> On Thu, 29 Mar 2001, Marc Vogt wrote:
>
>
> > Mar 29 18:10:00 tamarind portsentry[574]: attackalert: Possible
> >stealth scan from unknown host to TCP port: 22 (accept failed)
> > Mar 29 18:10:30 tamarind last message repeated 57848 times
> > Mar 29 18:11:31 tamarind last message repeated 107778 times
> > Mar 29 18:12:33 tamarind last message repeated 103242 times
> > Mar 29 18:13:33 tamarind last message repeated 109587 times
> > Mar 29 18:14:34 tamarind last message repeated 101158 times
> > Mar 29 18:15:00 tamarind last message repeated 45402 times
>
> Wow. Try getting a capture of the traffic headed to port 22, and maybe you
> can figure out what it is. I seriously doubt it's a real scan. You might
> also try turning off portsentry for a bit and using ipchains/tables
> (whatever) to log the attempts. You might get more info that way.
It goes on and on even when I am disconnected fro mthe network.
It only occurs under my 2.4.0 kernel. I do get some message when
port sentry starts up about it not being able to bind port 22.
Mar 29 17:00:58 tamarind portsentry[573]: adminalert: ERROR: could not bind TCP socket: 22. Attempting to continue
looks like it also has problems with 7,9,111 and 540.
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list