Possible security breach? System behaving in very odd manners
Derek Broughton
news at pointerstop.ca
Wed Dec 5 15:17:31 UTC 2007
Nicolas Ouellette wrote:
> Hi there. I've been using Kubuntu for some time now, and been
> experimenting very, VERY weird stuff recently (sorry if this mail is long:
> right now I want to connect to the net as breifly as possible, so I put as
> many info I can in it):
...
> 7. After a hard day's work, I looked at /var/log/snort/alert and saw
> horrible things:
>
> [**] [119:7:1] (http_inspect) IIS UNICODE CODEPOINT ENCODING [**]
> [Priority: 3]
> 12/04-06:57:10.447880 69.157.135.148:33057 -> 66.230.200.228:80
> TCP TTL:64 TOS:0x0 ID:17911 IpLen:20 DgmLen:479 DF
> ***AP*** Seq: 0xCD91DADD Ack: 0x51982DB0 Win: 0x16B0 TcpLen: 20
>
> [**] [122:1:0] (portscan) TCP Portscan [**]
> [Priority: 3]
> 12/04-07:30:50.509573 69.157.133.27 -> 69.157.135.148
> PROTO:255 TTL:0 TOS:0x0 ID:0 IpLen:20 DgmLen:165 DF
>
> [**] [119:2:1] (http_inspect) DOUBLE DECODING ATTACK [**]
...
> If I understand correctly, someone hat tried a double-decoding attack,
> after a portscan. (I'm no geek here, I don't fully understand the meaning
> of those entries...:()
>
> 8. Now, I feel very, VERY frightened, because I think a malicious person
> might have hacked into my system and may gain control over my box and
> data.
>
> I want to say that I'm not an übergeek, but I'm aware of the many dangers
> lurking on the net and how to protect my system from them as best as I can
> (firewall, IDS, virus scan, rootkit detector, no easy-cheesy passwords,
> and so on...).
I don't know what those specific things mean, either, and perhaps you have
reason to be paranoid (well, there's nothing wrong with that!), but don't
go overboard. Any open network is going to get tons of attempts. The
script kiddies just continually scan the network looking for something they
can use. The fact that the attempt is currently occurring should be
sufficient to tell you that _this_ is not the problem you were originally
looking for. If your apparently random events were caused by somebody
having hacked your system, they don't need to do portscans anymore! Also,
the fact that snort recognizes it as a "DOUBLE DECODING ATTACK" rather
implies that it's a known vulnerability (to something) and if you're
up-to-date on your security fixes, you probably aren't vulnerable).
That said, I know people who have been rootkitted (on Linux systems), and it
isn't pretty.
--
derek
More information about the kubuntu-users
mailing list