This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Astaro hacked?

I'm very concerend that my Astaro 5.103 box has been hacked.
It appears that my HTTP proxy service has been compromised but I wanted more experienced users input on this matter.

It looks like my internal machine at address 1.5 was getting harrassed, then the source of the attack changed to the address of my permimter  firwall , the Astaro box [v5.103].

This looks like a successful hack of Astaro Security Linux.
Can someone confirm?

Please examine the following log entries:
Local logfile query Query term: DOS Time span: 2005-03-01 -> 2005-03-02
Intrusion Protection System
2005:03:01-12:32:10 (none) snort[913]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]:  {PROTO006} 208.254.45.206:443 -> 10.1.1.5:3372
2005:03:01-12:32:13 (none) snort[913]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]:  {PROTO006} 208.254.45.206:443 -> 10.1.1.5:3372
2005:03:01-12:32:19 (none) snort[913]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]:  {PROTO006} 208.254.45.206:443 -> 10.1.1.5:3372
2005:03:01-12:32:31 (none) snort[913]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]:  {PROTO006} 208.254.45.206:443 -> 10.1.1.5:3372
2005:03:01-12:32:55 (none) snort[913]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]:  {PROTO006} 208.254.45.206:443 -> 10.1.1.5:3372
2005:03:01-12:33:43 (none) snort[913]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]:  {PROTO006} 208.254.45.206:443 -> 10.1.1.5:3372
2005:03:02-12:49:59 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]:  {PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372
2005:03:02-12:49:59 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]:  {PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372
2005:03:02-12:49:59 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]:  {PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372
2005:03:02-12:50:00 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]:  {PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372
2005:03:02-12:50:01 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]:  {PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372
2005:03:02-12:50:02 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]:  {PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372
2005:03:02-12:50:06 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]:  {PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372
2005:03:02-12:50:12 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]:  {PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372
2005:03:02-12:50:26 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]:  {PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372
2005:03:02-12:50:53 (none) snort[2751]: [1:140 ...

PS:  i originally posted this in the wrong place... sorry]

This thread was automatically locked due to age.

Parents

0 SalishSwede over 20 years ago

No one can help with this?
Cancel
Vote Up 0 Vote Down

Cancel
0 StefanS_01 over 20 years ago in reply to SalishSwede

Hi,

i think that is the answer.

https://community.sophos.com/products/unified-threat-management/astaroorg/f/55/t/46741

Stefan
Cancel
Vote Up 0 Vote Down

Cancel
0 SalishSwede over 20 years ago in reply to StefanS_01

I don't see why it is relevant to my problem other than saying ASL has some bugs.

The question is:

Given the logs (above), did the attacker compromise my Astaro firewall and begin an attack from the firewall itself?
Cancel
Vote Up 0 Vote Down

Cancel
0 StefanS_01 over 20 years ago in reply to SalishSwede

Dougga,

Which I want to say thereby, is the following.

your logfile:

2005:03:01-12:32:10 (none) snort[913]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]: {PROTO006} 208.254.45.206:443 -> 10.1.1.5:3372

the IDS says it a "D" drop made of "208.254.45.206:443", but after my experiences cannot one this statement trust (see my Thread)

It sees like that from that the attack of 208.254.45.206, although drop is indicated, was successful.
If the IDS had really blocked this attack, this might not have to be seen.

2005:03:02-12:49:59 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]: {PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372

cheers

Stefan
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 StefanS_01 over 20 years ago in reply to SalishSwede

Dougga,

Which I want to say thereby, is the following.

your logfile:

2005:03:01-12:32:10 (none) snort[913]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]: {PROTO006} 208.254.45.206:443 -> 10.1.1.5:3372

the IDS says it a "D" drop made of "208.254.45.206:443", but after my experiences cannot one this statement trust (see my Thread)

It sees like that from that the attack of 208.254.45.206, although drop is indicated, was successful.
If the IDS had really blocked this attack, this might not have to be seen.

2005:03:02-12:49:59 (none) snort[2751]: [1:1408:0] D DOS MSDTC attempt [Classification: Attempted Denial of Service] [Priority: 2]: {PROTO006} 10.1.1.2:8081 -> 10.1.1.5:3372

cheers

Stefan
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data