Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 3 subscribers
  • Views 2167 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is machine or website compromised?

Jeff x
This morning, I saw something I've never seen before.
 
Under the [FONT=Verdana]IntrusionPrevention System (IPS) heading of the Daily Executive Report, [/FONT]one of my internal IP's is listed as an attacker. Has my website or computer been compromised?
 
When I check the Sophos logs, I see there were several dropped packets which show 129.121.176.245 (not my IP address) as being the source IP/attacker but there are two listings in the IPS log that show my internal IP 192.168.x.x as being the source IP/attacker.
 
Below is a screen cap of the report and excerpts from the logs:

 
 
Sophos Firewall log:
 
[FONT=Arial][SIZE=1]/var/log/packetfilter/2013/11/packetfilter-2013-11-02.log.gz:2013:11:02-18:00:23 gateway ulogd[4445]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="b4:00:00:00:00:b7" srcip="129.121.176.245" dstip="192.168.x.x" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="43642" dstport="21" tcpflags="ACK RST"[/SIZE][/FONT]
 
[SIZE=2][FONT=Arial][SIZE=1]/var/log/packetfilter/2013/11/packetfilter-2013-11-02.log.gz:2013:11:02-18:00:23 gateway ulogd[4445]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="c4:39:3a:91:36:86" dstmac="0:15:17:6d:3b:7d" srcip="129.121.176.245" dstip="5x.x.x.x0" proto="6" length="52" tos="0x00" prec="0x20" ttl="45" srcport="49208" dstport="21" tcpflags="SYN"[/SIZE][/FONT][/SIZE]
[SIZE=2] 
[FONT=Arial][SIZE=1]/var/log/packetfilter/2013/11/packetfilter-2013-11-02.log.gz:2013:11:02-18:00:23 gateway ulogd[4445]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="c4:39:3a:91:36:86" dstmac="0:15:17:6d:3b:7d" srcip="129.121.176.245" dstip="5x.x.x.x1" proto="6" length="52" tos="0x00" prec="0x20" ttl="44" srcport="55098" dstport="21" tcpflags="SYN"[/SIZE][/FONT]
 
[FONT=Arial][SIZE=1]/var/log/packetfilter/2013/11/packetfilter-2013-11-02.log.gz:2013:11:02-18:00:23 gateway ulogd[4445]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="c4:39:3a:91:36:86" dstmac="0:15:17:6d:3b:7d" srcip="129.121.176.245" dstip="5x.x.x.x2" proto="6" length="52" tos="0x00" prec="0x20" ttl="44" srcport="48903" dstport="21" tcpflags="SYN"[/SIZE][/FONT]
 
[FONT=Arial][SIZE=1]/var/log/packetfilter/2013/11/packetfilter-2013-11-02.log.gz:2013:11:02-18:00:25 gateway ulogd[4445]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="c4:39:3a:91:36:86" dstmac="0:15:17:6d:3b:7d" srcip="129.121.176.245" dstip="5x.x.x.x3" proto="6" length="52" tos="0x00" prec="0x20" ttl="45" srcport="56642" dstport="21" tcpflags="SYN"[/SIZE][/FONT]
 
[FONT=Arial][SIZE=1]/var/log/packetfilter/2013/11/packetfilter-2013-11-02.log.gz:2013:11:02-18:00:25 gateway ulogd[4445]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="c4:39:3a:91:36:86" dstmac="0:15:17:6d:3b:7d" srcip="129.121.176.245" dstip="5x.x.x.x4" proto="6" length="52" tos="0x00" prec="0x20" ttl="44" srcport="56042" dstport="21" tcpflags="SYN"[/SIZE][/FONT]
 
[FONT=Arial][SIZE=1]/var/log/packetfilter/2013/11/packetfilter-2013-11-02.log.gz:2013:11:02-18:00:26 gateway ulogd[4445]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="c4:39:3a:91:36:86" dstmac="0:15:17:6d:3b:7d" srcip="129.121.176.245" dstip="5x.x.x.x0" proto="6" length="52" tos="0x00" prec="0x20" ttl="45" srcport="49208" dstport="21" tcpflags="SYN"[/SIZE][/FONT]
 
[FONT=Arial][SIZE=1]/var/log/packetfilter/2013/11/packetfilter-2013-11-02.log.gz:2013:11:02-18:00:26 gateway ulogd[4445]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="c4:39:3a:91:36:86" dstmac="0:15:17:6d:3b:7d" srcip="129.121.176.245" dstip="5x.x.x.x1" proto="6" length="52" tos="0x00" prec="0x20" ttl="44" srcport="55098" dstport="21" tcpflags="SYN"[/SIZE][/FONT]
 
[FONT=Arial][SIZE=1]/var/log/packetfilter/2013/11/packetfilter-2013-11-02.log.gz:2013:11:02-18:00:26 gateway ulogd[4445]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="c4:39:3a:91:36:86" dstmac="0:15:17:6d:3b:7d" srcip="129.121.176.245" dstip="5x.x.x.x5" proto="6" length="52" tos="0x00" prec="0x20" ttl="45" srcport="39546" dstport="21" tcpflags="SYN"[/SIZE][/FONT]
 
[FONT=Arial][SIZE=1]/var/log/packetfilter/2013/11/packetfilter-2013-11-02.log.gz:2013:11:02-18:00:26 gateway ulogd[4445]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="c4:39:3a:91:36:86" dstmac="0:15:17:6d:3b:7d" srcip="129.121.176.245" dstip="5x.x.x.x2" proto="6" length="52" tos="0x00" prec="0x20" ttl="44" srcport="48903" dstport="21" tcpflags="SYN"[/SIZE][/FONT]
 
[FONT=Arial][SIZE=1]/var/log/packetfilter/2013/11/packetfilter-2013-11-02.log.gz:2013:11:02-18:00:28 gateway ulogd[4445]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="c4:39:3a:91:36:86" dstmac="0:15:17:6d:3b:7d" srcip="129.121.176.245" dstip="5x.x.x.x3" proto="6" length="52" tos="0x00" prec="0x20" ttl="45" srcport="56642" dstport="21" tcpflags="SYN"[/SIZE][/FONT]
 
[FONT=Arial][SIZE=1]/var/log/packetfilter/2013/11/packetfilter-2013-11-02.log.gz:2013:11:02-18:00:28 gateway ulogd[4445]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="c4:39:3a:91:36:86" dstmac="0:15:17:6d:3b:7d" srcip="129.121.176.245" dstip="5x.x.x.x4" proto="6" length="52" tos="0x00" prec="0x20" ttl="44" srcport="56042" dstport="21" tcpflags="SYN"[/SIZE][/FONT]
 
[FONT=Arial][SIZE=1]/var/log/packetfilter/2013/11/packetfilter-2013-11-02.log.gz:2013:11:02-18:00:29 gateway ulogd[4445]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="c4:39:3a:91:36:86" dstmac="0:15:17:6d:3b:7d" srcip="129.121.176.245" dstip="5x.x.x.x5" proto="6" length="52" tos="0x00" prec="0x20" ttl="45" srcport="39546" dstport="21" tcpflags="SYN"[/SIZE][/FONT]
 
[FONT=Arial][SIZE=1]/var/log/packetfilter/2013/11/packetfilter-2013-11-02.log.gz:2013:11:02-18:00:29 gateway ulogd[4445]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="c4:39:3a:91:36:86" dstmac="0:15:17:6d:3b:7d" srcip="129.121.176.245" dstip="5x.x.x.x1" proto="6" length="52" tos="0x00" prec="0x20" ttl="44" srcport="33322" dstport="21" tcpflags="SYN"[/SIZE][/FONT]
 
[FONT=Arial][SIZE=1]/var/log/packetfilter/2013/11/packetfilter-2013-11-02.log.gz:2013:11:02-18:00:29 gateway ulogd[4445]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="b4:00:00:00:00:b7" srcip="129.121.176.245" dstip="192.168.x.x" proto="6" length="40" tos="0x00" prec="0x00" ttl="128" srcport="43642" dstport="21" tcpflags="ACK RST"[/SIZE][/FONT]
 
[FONT=Arial][SIZE=1]/var/log/packetfilter/2013/11/packetfilter-2013-11-02.log.gz:2013:11:02-18:00:32 gateway ulogd[4445]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="c4:39:3a:91:36:86" dstmac="0:15:17:6d:3b:7d" srcip="129.121.176.245" dstip="5x.x.x.x1" proto="6" length="52" tos="0x00" prec="0x20" ttl="44" srcport="33322" dstport="21" tcpflags="SYN"[/SIZE][/FONT]
 
[FONT=Arial][SIZE=1]/var/log/packetfilter/2013/11/packetfilter-2013-11-02.log.gz:2013:11:02-18:17:02 gateway ulogd[4445]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="b4:00:00:00:00:b7" srcip="129.121.176.245" dstip="192.168.x.x" proto="6" length="40" tos="0x00" prec="0x00" ttl="64" srcport="58770" dstport="21" tcpflags="ACK RST"[/SIZE][/FONT]
 
[FONT=Arial][SIZE=1]/var/log/packetfilter/2013/11/packetfilter-2013-11-02.log.gz:2013:11:02-18:17:09 gateway ulogd[4445]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60003" outitf="eth0" srcmac="b4:00:00:00:00:b7" srcip="129.121.176.245" dstip="192.168.x.x" proto="6" length="40" tos="0x00" prec="0x00" ttl="128" srcport="58770" dstport="21" tcpflags="ACK RST"[/SIZE][/FONT]
 
[FONT=Arial][SIZE=1]/var/log/packetfilter/2013/11/packetfilter-2013-11-02.log.gz:2013:11:02-18:29:29 gateway ulogd[4445]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth2" srcmac="c4:39:3a:91:36:86" dstmac="0:15:17:6d:3b:7d" srcip="129.121.176.245" dstip="5x.x.x.xx9" proto="6" length="40" tos="0x00" prec="0x20" ttl="44" srcport="58770" dstport="21" tcpflags="ACK FIN"[/SIZE][/FONT] 
 
 

[/SIZE] 
 
Sophos Intrusion Prevention Log:
 
[FONT=Arial][SIZE=1]/var/log/ips/2013/11/ips-2013-11-02.log.gz:2013:11:02-18:00:22 gateway snort[22227]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="APP-DETECT failed FTP login attempt" group="242" srcip="192.168.x.x" dstip="129.121.176.245" proto="6" srcport="21" dstport="43642" sid="13360" class="Misc activity" priority="3" generator="1" msgid="0"[/SIZE][/FONT]
 
[FONT=monospace][FONT=monospace][SIZE=1][FONT=Arial]/var/log/ips/2013/11/ips-2013-11-02.log.gz:2013:11:02-18:17:01 gateway snort[22227]: id="2101" severity="warn" sys="SecureNet" sub="ips" name="Intrusion protection alert" action="drop" reason="APP-DETECT failed FTP login attempt" group="242" srcip="192.168.x.x" dstip="129.121.176.245" proto="6" srcport="21" dstport="58770" sid="13360" class="Misc activity" priority="3" generator="1" msgid="0"[/FONT] [/SIZE][/FONT][/FONT]
[FONT=monospace]
[/FONT]I think it's obvious that 129.121.176.245 scanned my public IP's and attempted to gain access via port 21 but I'm concerned that one of my private IP's shows as the source/attacker.


This thread was automatically locked due to age.
Parents
  • 0
    I installed Sophos Endpoint on the machine and it appears to be fairly easy on resources.
     
    I have run a few other scans but I have found nothing that would indicate a malware infection.
     
    What else would cause those two entries in the logs that makes it look like my computer was the attacker?
Reply
  • 0
    I installed Sophos Endpoint on the machine and it appears to be fairly easy on resources.
     
    I have run a few other scans but I have found nothing that would indicate a malware infection.
     
    What else would cause those two entries in the logs that makes it look like my computer was the attacker?
Children
No Data