[Cialug] Odd log entries on RH7.2 box

cialug@cialug.org cialug@cialug.org
Mon, 06 Dec 2004 21:15:40 +0000


I did do a YUM update off of fedoralegacy.org back in August (and nothing has
been updated on that site since then for 7.2).  RH 7.2 is no longer supported by
RH or fedoralegacy.  I plan on upgrading, but my copious free time isn't as free
as it used to be. :-)

I ran chkrootkit with no problems.  Good idea on running "rpm -Va".  It reported
some missing files and some other files where size and MD5 checksum doesn't
match.  So far, those look OK (updates), but I'll need to investigate more.

My plan to upgrade was to go to FC2, however I'm wondering if it would be better
for me to do a YUM upgrade to 7.3, and then later go to the latest FC release. 
Thoughts?

--
Tim W.
> Is that system all patched up? Is RH 7.2 still even supported? Might be 
> time to update.
> 
> While no system is totally secure, something as old as RH 7.2 probably 
> has a significantly greater chance of being exploitable.
> 
> If you haven't already, I'd check for evidence of an intrusion - i.e. 
> run chkrootkit, run "rpm -Va"...
> 
> -dc
> 
> timwilson011@mchsi.com wrote:
> > I was looking through my logs, and I noticed some odd entries.  I am seeing 
> many
> > ACCEPTed entries from ipchains (over 800 this week) in /var/log/messages.  The
> > source ports are 0, 3, 8, 11, and 12.  The dest ports are 0, 1, 3, or 13.  
> I've
> > looked up these ports at iana.org, but it says port 0, 8, and 12 are reserved 
> or
> > unassigned (the dest ports of 1 and 13 are tcpmux and daytime).  I don't have
> > anything running on these ports.  For the ones trying to connect to port 0, 
> all
> > but 43 came from one of 2 addresses, both of these addresses belong to 
> yahoo.com
> > (for example, UNKNOWN-217-146-185-137.yahoo.com).  It seems odd to me there
> > would be access on these ports, especially port 0.  I'm curious if I need to
> > block any of the dest ports being hit.  Anyone have any ideas, suggestions, or
> > comments?  Why would these ports be accessed?
> > 
> > --
> > Tim W.
> > _______________________________________________
> > Cialug mailing list
> > Cialug@cialug.org
> > http://cialug.org/mailman/listinfo/cialug
> > 
> 
> 
> _______________________________________________
> Cialug mailing list
> Cialug@cialug.org
> http://cialug.org/mailman/listinfo/cialug