OneTwenty web services temporarily down (attempted hack?)

OneTwenty web services were temporarily down earlier today, possibly due to an attempted hack. The kernel caught a TCP window shrink attempt:

TCP: Treason uncloaked! Peer 220.128.54.50:2072/80 shrinks window

This page has a few explainations of what the problem could be. The http site at the IP address in question looks to be a vanilla Mandrake install. Running a reverse DNS lookup reveals that the computer is somewhere in China (that is, if it isn’t a masqueraded IP).

Anyhow, the kernel caught the problem and I used iptables to automatically drop packets originating from that IP address. Anyone else have something like this happen recently?

Update: Installed OSSEC per Steve‘s suggestion. The latest version (0.9.3) installs easily (following the instructions in the manual) and even creates the /etc/init.d/ossec file for easy use in Ubuntu!

2 thoughts on “OneTwenty web services temporarily down (attempted hack?)”

  1. My firewall machine gets hack attempts almost constantly. I run OSSEC, and get reports like this on a daily basis:

    sshd[4783]: Invalid user webadmin from 61.82.25.83
    sshd[4775]: Invalid user tomcat from 61.82.25.83
    sshd[4763]: Invalid user samba from 61.82.25.83
    sshd[4755]: Invalid user office from 61.82.25.83
    sshd[4745]: Invalid user alias from 61.82.25.83
    sshd[4736]: Invalid user recruit from 61.82.25.83
    sshd[4727]: Invalid user sales from 61.82.25.83

    OSSEC then blocks that host within iptables and hosts.deny. Might be worth looking at.

Leave a Reply

Your email address will not be published. Required fields are marked *