[BlueOnyx:03715] Possible breach of server - assistance appreciated

Richard Morgan richard at morgan-web.co.uk
Sun Feb 28 18:31:08 -05 2010 

Hi

I hope someone can point me in the right direction because this is a little 
stressful (to say the least).

We've been sent a message, via the abuse team in the data centre we use, 
that indicates port scans or something malicious is originating from our 
server.  It's actually the third time now.

The message is below, but my problem is I don't have enough familarity with 
Linux security to dig in and know what I'm looking for.  Therefore any 
pointers in the right direction would be appreciated.

Thanks, Richard

The message received was as follows:
--------------------------------------

This is an automated message from Columbia University IT Security.  You are
receiving it because you are listed as the abuse contact for the machine
referred to below.  This machine attempted to gain unauthorized
access to one or more machines at Columbia University.

Details are provided below.  Please take all necessary
steps to mitigate such attacks.

If you have received this message in error, or if this incident
reported is inappropriate, please contact security at columbia.edu
so that we can update our procedures.  Please include the entire
body of this message.

Thank You.

Columbia University IT Security
security at columbia.edu

Name:     s1.XXXXXX.net
Address:  217.112.XX.XX

Incident type: 6000/tcp
First attempt: 27-feb-2010 05:50:00 GMT-0500
Last attempt: 27-feb-2010 05:50:00 GMT-0500
Total attempts: 131061

27-Feb-2010 05:51:46 GMT-0500 217.112.XX.XX:62518 -> 156.111.227.14:6000
6 48
27-Feb-2010 05:51:46 GMT-0500 217.112.XX.XX:62518 -> 156.111.227.40:6000
6 48
27-Feb-2010 05:51:46 GMT-0500 217.112.XX.XX:62518 -> 156.111.227.45:6000
6 48
27-Feb-2010 05:51:46 GMT-0500 217.112.XX.XX:62518 -> 156.111.227.46:6000
6 48
27-Feb-2010 05:51:46 GMT-0500 217.112.XX.XX:62518 -> 156.111.227.48:6000
6 48
27-Feb-2010 05:51:46 GMT-0500 217.112.XX.XX:62518 -> 156.111.227.81:6000
6 48
27-Feb-2010 05:51:46 GMT-0500 217.112.XX.XX:62518 -> 156.111.227.67:6000
6 48

There was lots more, all of a simalar nature.

More information about the Blueonyx mailing list