Hello all,
I've a problem on my network and here my knowledges are limited so ...
First we have been blocked by spamhaus project using the XBL tool. It seems a computer of my newtork sent some spam 3 days ago. the problem for me is to know which one ... so I began to have a look on the my COS logs files and I discovered I could not start the intrusion and detection components !
in my logs, I've the following :
pr 18 08:50:01 srv-cos systemd: Starting Session 11429 of user root.
Apr 18 08:50:01 srv-cos systemd: Started Session 11430 of user root.
Apr 18 08:50:01 srv-cos systemd: Starting Session 11430 of user root.
Apr 18 08:50:01 srv-cos systemd: Started Session 11428 of user root.
Apr 18 08:50:01 srv-cos systemd: Starting Session 11428 of user root.
Apr 18 08:50:01 srv-cos arpwatch: bogon 192.168.0.120 d4:ae:52:9f:57:c9
Apr 18 08:50:31 srv-cos systemd: Stopping SYSV: SnortSAM dynamic firewall plug-in for Snort...
Apr 18 08:50:31 srv-cos snortsam: /etc/rc.d/init.d/snortsam: ligne 15 : [: = : opérateur unaire attendu
Apr 18 08:50:31 srv-cos snortsam: Stopping snortsam: [ÉCHOUÉ]
Apr 18 08:50:31 srv-cos systemd: Stopped SYSV: SnortSAM dynamic firewall plug-in for Snort.
Apr 18 08:50:32 srv-cos arpwatch: bogon 192.168.0.120 d4:ae:52:9f:57:c9
Apr 18 08:50:33 srv-cos systemd: Starting SYSV: SnortSAM dynamic firewall plug-in for Snort...
Apr 18 08:50:33 srv-cos snortsam: /etc/rc.d/init.d/snortsam: ligne 15 : [: = : opérateur unaire attendu
Apr 18 08:50:33 srv-cos snortsam: Starting snortsam: ... delaying[ OK ]
Apr 18 08:50:33 srv-cos systemd: Started SYSV: SnortSAM dynamic firewall plug-in for Snort.
Apr 18 08:51:02 srv-cos arpwatch: bogon 192.168.0.120 d4:ae:52:9f:57:c9
Apr 18 08:51:03 srv-cos systemd: Stopping SYSV: Snort Network Intrusion Detection System...
Apr 18 08:51:04 srv-cos systemd: Stopped SYSV: Snort Network Intrusion Detection System.
Apr 18 08:51:06 srv-cos systemd: Starting SYSV: Snort Network Intrusion Detection System...
Apr 18 08:51:06 srv-cos systemd: Started SYSV: Snort Network Intrusion Detection System.
Apr 18 08:51:21 srv-cos systemd: Stopping SYSV: Snort Network Intrusion Detection System...
Apr 18 08:51:21 srv-cos systemd: Stopped SYSV: Snort Network Intrusion Detection System.
Apr 18 08:51:21 srv-cos systemd: Starting SYSV: Snort Network Intrusion Detection System...
Apr 18 08:51:21 srv-cos systemd: Started SYSV: Snort Network Intrusion Detection System.
it seems the the IP adress is used by another system because when I do a #arp -n on my ClearOS server, I don't get the same mac address as the one on the log ...
#arp -n : 192.168.100.120 ether 3c:d9:2b:58:33:5d C eth6
I dont know here if got my system hacked ... and what to do ..
Thanks for your help
I've a problem on my network and here my knowledges are limited so ...
First we have been blocked by spamhaus project using the XBL tool. It seems a computer of my newtork sent some spam 3 days ago. the problem for me is to know which one ... so I began to have a look on the my COS logs files and I discovered I could not start the intrusion and detection components !
in my logs, I've the following :
pr 18 08:50:01 srv-cos systemd: Starting Session 11429 of user root.
Apr 18 08:50:01 srv-cos systemd: Started Session 11430 of user root.
Apr 18 08:50:01 srv-cos systemd: Starting Session 11430 of user root.
Apr 18 08:50:01 srv-cos systemd: Started Session 11428 of user root.
Apr 18 08:50:01 srv-cos systemd: Starting Session 11428 of user root.
Apr 18 08:50:01 srv-cos arpwatch: bogon 192.168.0.120 d4:ae:52:9f:57:c9
Apr 18 08:50:31 srv-cos systemd: Stopping SYSV: SnortSAM dynamic firewall plug-in for Snort...
Apr 18 08:50:31 srv-cos snortsam: /etc/rc.d/init.d/snortsam: ligne 15 : [: = : opérateur unaire attendu
Apr 18 08:50:31 srv-cos snortsam: Stopping snortsam: [ÉCHOUÉ]
Apr 18 08:50:31 srv-cos systemd: Stopped SYSV: SnortSAM dynamic firewall plug-in for Snort.
Apr 18 08:50:32 srv-cos arpwatch: bogon 192.168.0.120 d4:ae:52:9f:57:c9
Apr 18 08:50:33 srv-cos systemd: Starting SYSV: SnortSAM dynamic firewall plug-in for Snort...
Apr 18 08:50:33 srv-cos snortsam: /etc/rc.d/init.d/snortsam: ligne 15 : [: = : opérateur unaire attendu
Apr 18 08:50:33 srv-cos snortsam: Starting snortsam: ... delaying[ OK ]
Apr 18 08:50:33 srv-cos systemd: Started SYSV: SnortSAM dynamic firewall plug-in for Snort.
Apr 18 08:51:02 srv-cos arpwatch: bogon 192.168.0.120 d4:ae:52:9f:57:c9
Apr 18 08:51:03 srv-cos systemd: Stopping SYSV: Snort Network Intrusion Detection System...
Apr 18 08:51:04 srv-cos systemd: Stopped SYSV: Snort Network Intrusion Detection System.
Apr 18 08:51:06 srv-cos systemd: Starting SYSV: Snort Network Intrusion Detection System...
Apr 18 08:51:06 srv-cos systemd: Started SYSV: Snort Network Intrusion Detection System.
Apr 18 08:51:21 srv-cos systemd: Stopping SYSV: Snort Network Intrusion Detection System...
Apr 18 08:51:21 srv-cos systemd: Stopped SYSV: Snort Network Intrusion Detection System.
Apr 18 08:51:21 srv-cos systemd: Starting SYSV: Snort Network Intrusion Detection System...
Apr 18 08:51:21 srv-cos systemd: Started SYSV: Snort Network Intrusion Detection System.
it seems the the IP adress is used by another system because when I do a #arp -n on my ClearOS server, I don't get the same mac address as the one on the log ...
#arp -n : 192.168.100.120 ether 3c:d9:2b:58:33:5d C eth6
I dont know here if got my system hacked ... and what to do ..
Thanks for your help
Share this post:
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »