Friday, August 26, 2005

One advantage of IPCop is the logging.

I've been looking in the logging a fair bit, mainly to try to work out what's causing connectivity issues, but also out of interest.

I can't believe how much junk there in on the internet.

I'm seeing BigPong customers trying to access MSSQL server, several different worms, Sasser, Dabber, and something trying access port 32775.

I can't even find what it would be looking for on that port.

I'm also seeing stacks of attempted gnutella connections, but I haven't had LimeWire running for hours.

I haven't managed to turn on the snort stuff yet, because I'm having difficulty becoming a member. I created an account, but I can't login, I tried changing my password, still no good.

I've emailed there support, and I'm waiting for a reply. I dread to think what snort is going to identify going on.

Update: I finally got a reply from their support, and they told me that it could be something to do with cookie support.

I tried logging in again, still didn't work. I wondered if the transparent proxy was doing something, so I tried disabling that, but still couldn't login.

I decided to try a different browser, I fired up konqueror. I was able to login, in the process, it popped up and asked if I wanted to accept the cookie. Hmm.

Anyway, I was able to login, and get the "oink" code that I needed, then I configured snort properly.

It didn't really tell me anything I didn't already know, about those SQL exploits. What I did find interesting, was that there were 2 separate hosts, both in China, attacking me within a couple of seconds of installing the rulesets. (Or perhaps they attacked me in the last couple of hours, and snort has analysed the current running log file).


Post a comment

<< Home