OneTwenty web services were temporarily down earlier today, possibly due to an attempted hack. The kernel caught a TCP window shrink attempt:
TCP: Treason uncloaked! Peer 184.108.40.206:2072/80 shrinks window
This page has a few explainations of what the problem could be. The http site at the IP address in question looks to be a vanilla Mandrake install. Running a reverse DNS lookup reveals that the computer is somewhere in China (that is, if it isn’t a masqueraded IP).
Anyhow, the kernel caught the problem and I used iptables to automatically drop packets originating from that IP address. Anyone else have something like this happen recently?
Update: Installed OSSEC per Steve‘s suggestion. The latest version (0.9.3) installs easily (following the instructions in the manual) and even creates the /etc/init.d/ossec file for easy use in Ubuntu!
2 thoughts on “OneTwenty web services temporarily down (attempted hack?)”
My firewall machine gets hack attempts almost constantly. I run OSSEC, and get reports like this on a daily basis:
sshd: Invalid user webadmin from 220.127.116.11
sshd: Invalid user tomcat from 18.104.22.168
sshd: Invalid user samba from 22.214.171.124
sshd: Invalid user office from 126.96.36.199
sshd: Invalid user alias from 188.8.131.52
sshd: Invalid user recruit from 184.108.40.206
sshd: Invalid user sales from 220.127.116.11
OSSEC then blocks that host within iptables and hosts.deny. Might be worth looking at.
I adhered to your previous advice when someone hacked ViSLAB. Stay calm and don’t do anything rash… aside from that… wasn’t sure what else to do 🙁
Comments are closed.