[OpenAFS] Port probing our AFS cell...

Rodney M Dyer rmdyer@uncc.edu
Tue, 06 Sep 2005 13:33:42 -0400


We are checking into possible probing (hacking) attempts on our AFS file 
servers.  We are seeing one address (24.74.66.175) that our fileserver 
needs to perform a callback on and it fails.  The problem is that it seems 
to fail on port numbers that are increasing by 12 each time.  The following 
logs show this "probing"...

      http://www.coe.uncc.edu/~rmdyer/afs_info_share/possible_probing_incidents/FileLog

      http://www.coe.uncc.edu/~rmdyer/afs_info_share/possible_probing_incidents/FileLog.old

We've also seen our BOS process die leaving strange last-write-times on 
some of the logs.  Notice the date on the core, BosLog, and VolserLog files:

      # ls -l
      total 9012
      -rw-r--r--   1 root     root         124 Dec 30  1967 BosLog
      -rw-r--r--   1 root     root        1705 Sep  4 04:00 BosLog.old
      -rw-r--r--   1 root     root       37272 Sep  6 08:56 FileLog
      -rw-r--r--   1 root     root       56469 Sep  4 04:00 FileLog.old
      -rw-r--r--   1 root     root       15474 Aug 31 07:01 SalvageLog
      -rw-r--r--   1 root     other      15475 Aug 31 06:56 SalvageLog.old
      -rw-r--r--   1 root     root          77 Dec 30  1967 VolserLog
      -rw-r--r--   1 root     root          77 Sep  4 04:00 VolserLog.old
      -rw-------   1 root     root     1817440 Dec 30  1967 core
      -rw-------   1 root     other     747172 Aug 31 06:57 corefile.fs
      -rw-------   1 root     root     1882976 Dec 30  1967 corevol.fs

Does this at all look like something out of the ordinary to any of you?

Any advice is appeciated.  Thanks.

Rodney