[OpenAFS] Port probing our AFS cell...
Rodney M Dyer
rmdyer@uncc.edu
Tue, 06 Sep 2005 13:33:42 -0400
We are checking into possible probing (hacking) attempts on our AFS file
servers. We are seeing one address (24.74.66.175) that our fileserver
needs to perform a callback on and it fails. The problem is that it seems
to fail on port numbers that are increasing by 12 each time. The following
logs show this "probing"...
http://www.coe.uncc.edu/~rmdyer/afs_info_share/possible_probing_incidents/FileLog
http://www.coe.uncc.edu/~rmdyer/afs_info_share/possible_probing_incidents/FileLog.old
We've also seen our BOS process die leaving strange last-write-times on
some of the logs. Notice the date on the core, BosLog, and VolserLog files:
# ls -l
total 9012
-rw-r--r-- 1 root root 124 Dec 30 1967 BosLog
-rw-r--r-- 1 root root 1705 Sep 4 04:00 BosLog.old
-rw-r--r-- 1 root root 37272 Sep 6 08:56 FileLog
-rw-r--r-- 1 root root 56469 Sep 4 04:00 FileLog.old
-rw-r--r-- 1 root root 15474 Aug 31 07:01 SalvageLog
-rw-r--r-- 1 root other 15475 Aug 31 06:56 SalvageLog.old
-rw-r--r-- 1 root root 77 Dec 30 1967 VolserLog
-rw-r--r-- 1 root root 77 Sep 4 04:00 VolserLog.old
-rw------- 1 root root 1817440 Dec 30 1967 core
-rw------- 1 root other 747172 Aug 31 06:57 corefile.fs
-rw------- 1 root root 1882976 Dec 30 1967 corevol.fs
Does this at all look like something out of the ordinary to any of you?
Any advice is appeciated. Thanks.
Rodney