Hi all.
I write to you because i noticed a strange activity on my minion server.
I run Snort on the server and everyday i receive a log of some stats
from the Snort system. The problem is that snort sees a port scan from
my server to other 4 servers on the net everyday.
I studied the log of snort and i noticed that the victims of the port
scan are 4 mixminion servers!
I paste to you part of the last log...
Events from same host to same destination using same method
=========================================================================
# of from to method
=========================================================================
179 192.168.0.2 192.168.0.25 DNS SPOOF query response with
TTL of 1 min. and no authority
8 192.168.0.25 24.128.50.77 (portscan) TCP Portsweep
8 62.94.16.209 192.168.0.25 ICMP Source Quench
3 192.168.0.25 218.103.207.95 (portscan) TCP Portsweep
3 192.168.0.25 65.254.37.163 (portscan) TCP Portsweep
3 192.168.0.25 72.49.47.140 (portscan) TCP Portsweep
As you can see i receive a DNS Spoof from the router (probably because
of dyndns.org services and so maybe a snort false positive) and then a
portscan follows. The very strange thing is that only 4 servers are port
scanned.
So, is this a normal action of the minion server?
Is it possible that the snort log is a false positive due to the
connection between nodes? And, if yes, is this a possible danger for the
anonimity (the snort log is saved!!)?
Thanks,
Stefano alias ZeNo - Italy
Attachment:
signature.asc
Description: Questa parte del messaggio =?ISO-8859-1?Q?=E8?= firmata