Anti-malware scanning software portsentry under Linux

Our company has been attacked by malice recently. Later , there are free anti-malware scanning software portsentry in LINUX to solve the

1. Installing portsentry

Cut off portsentry-1.2.tar.gz

[Email protected] ~]# tar zxvf portsentry-1.2.tar.gz

[Email protected] ~]# CD portsentry_beta/

Open portsentry.c in the 1590 line around Copyright 1997-2003 that line of content adjust to one line, or install the alarm

1584 printf ("Copyright 1997-2003 Craig H. Rowland <craigrowland at the users dot

1585 sourceforget dot net>\n ");

Modified into

1584 printf ("Copyright 1997-2003 Craig H. Rowland <craigrowland at the users dot sourceforget dot net>\n");

[[email protected] portsentry_beta]# make && make install

found CP: can't Stat " ./portsentry " : no file or directory

Make : * * * [Install] Error 1 this question, we were at once make&& make install&& make Linux

[[email protected] portsentry_beta]# make Linux

Port Sentry the configuration

[Email protected] portsentry_beta]# vi/usr/local/psionic/portsentry/portsentry.conf

Found it

# Use these if you just want to be aware:

Tcp_ports= " 1,11,15,79,111,119,143,540,635,1080,1524,2000,5742,6667,12345,12346,20034,27665,31337,32771,32772,32773,32774,40421,49724 , 54320 "

Udp_ports= "1,7,9,69,161,162,513,635,640,641,700,37444,34555,31335,32770,32771,32772,32773,32774,31337,54321"

You can add the ports you want to monitor.

Start Portsentry the command is as follows

[Email protected] portsentry_beta]#/usr/local/psionic/portsentry/portsentry-atcp

View Logs

[Email protected] portsentry_beta]# tail/var/log/messages

Jul 19:58:59 tomcat135 portsentry[11037]: adminalert:advanced mode would manually exclude port:139

Jul 19:58:59 tomcat135 portsentry[11037]: adminalert:advanced Stealth scan detection mode activated. Ignored TCP port:22

Jul 19:58:59 tomcat135 portsentry[11037]: adminalert:advanced Stealth scan detection mode activated. Ignored TCP port:25

Jul 19:58:59 tomcat135 portsentry[11037]: adminalert:advanced Stealth scan detection mode activated. Ignored TCP port:80

Jul 19:58:59 tomcat135 portsentry[11037]: adminalert:advanced Stealth scan detection mode activated. Ignored TCP port:111

Jul 19:58:59 tomcat135 portsentry[11037]: adminalert:advanced Stealth scan detection mode activated. Ignored TCP port:631

Jul 19:58:59 tomcat135 portsentry[11037]: adminalert:advanced Stealth scan detection mode activated. Ignored TCP port:637

Jul 19:58:59 tomcat135 portsentry[11037]: adminalert:advanced Stealth scan detection mode activated. Ignored TCP port:113

Jul 19:58:59 tomcat135 portsentry[11037]: adminalert:advanced Stealth scan detection mode activated. Ignored TCP port:139

Jul 19:58:59 tomcat135 portsentry[11037]: Adminalert:portsentry is now active and listening.

If the attack we can view

[Email protected] portsentry_beta]# Cat/etc/hosts.deny

#

# Hosts.deny This file contains access rules which is used to

# Deny connections to network services this either use

# The Tcp_wrappers library or that has been

# started through a tcp_wrappers-enabled xinetd.

#

# The rules in this file can also is set up in

#/etc/hosts.allow with a ' deny ' option instead.

#

# See ' Mans 5 Hosts_options ' and ' Man 5 hosts_access '

# For information on rule syntax.

# see ' Mans TCPD ' for information on tcp_wrappers

#

all:216.99.158.196

all:116.10.191.184

all:65.111.161.35

all:58.52.149.161

all:137.175.69.43

all:14.108.157.240

all:198.13.104.182

all:137.175.70.226

all:119.36.79.10

all:27.16.231.69

all:137.175.9.239

all:142.4.126.35

all:112.125.18.175

all:119.122.9.152

all:218.77.79.43

all:204.93.154.216

all:42.120.145.6

all:23.105.86.26

describe these IP is malicious scan, by this software automatically added to this inside.

This article is from the "Fly Hung 膤" blog, please be sure to keep this source http://jxzhfei.blog.51cto.com/1382161/1444740

Anti-malware scanning software portsentry under Linux