Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [intrusion-detection]

Intrusion Detection is ability of a system to analyze different parameters on a computer system to determine if a system is compromised or not.

Intrusion Detection is ability of a system to analyze different parameters on a computer system to determine if a system is compromised or not.

These can be done through:

  • Log analysis
  • Hash checking of files
  • Network analysis
51 questions
0
votes
1 answer

secast init file already exists

I'm installing SecAst on a new computer and I'm on step 2.1.7 (copying init files). I copied the first initd file, but when I copy the second one it says file already exists (and I'm overwriting the last file). This doesn't make sense.
user220412
0
votes
2 answers

SecAst: Failing to Ban IP ''

To Generation D: This was the setup at time this issue was observed: secast-1.0.1.0-x86_64-ub12 on Ubuntu 12.04.4 Server LTS with Asterisk 11.10.2. The following events were captured and observed in the /var/log/secast after leaving seacast (build…
Elyod
  • 25
  • 4
0
votes
1 answer

Host says server is affected by malware, anyone knows this one ? What to do?

My host sent a notification that says server is infected with a malware, it doesn't seem very popular. The Symantec site about this malware shows windows machines as targets, but not CentOS. Anyone knows what this malware does exactly ? What are…
adrianTNT
  • 1,077
  • 6
  • 22
  • 43
0
votes
1 answer

How to detect my server is used as a port scanner?

My Web Server is running Ubuntu 12.04.2 LTS with all security updates installed. It is used as a Web Proxy server that handles incoming requests on HTTP/80 HTTPS/443 but also retrieves web content from other servers using HTTP/HTTPS connections. The…
Chris2M
  • 11
  • 1
  • 3
0
votes
2 answers

Remote hosts accessing AD's registry

I have a situation here. I have an intrusion detection system and it constantly alerts me that a remote host is accessing our AD's registry remotely. Our remote hosts are mainly Windows XP and our ADs are W2K8. The remote hosts access them over SMB…
smitty user
  • 1
  • 1
0
votes
1 answer

How can I find out what user from a specified IP is doing with my server?

Yesterday night around 2:00, I occasionally try out a snippet: netstat -ntu | tail -n +3|awk '{ print $5}' | cut -d : -f 1 | sort | uniq -c| sort -n -r | head -n 5 Then it turns out one IP is having almost 120+ entries (I am not sure whether this…
allanruin
  • 11
  • 1
0
votes
2 answers

Strange entry in Apache log

in my previous post I got something weird in Apache log. Again, I found something strange, but what freaks me out is the response code. It's not 501 anymore, but 200. What do you say? Should I enable the paranoid-mode? Here's the…
aL3xa
  • 153
  • 5
0
votes
2 answers

last night, my server was doing something intensive with the hard drive

I have an ubuntu server running in my bedroom. It's connected to the internet. Last night, at 5am, it was doing some intensive i/o with the hard drive (I heard it) for like 20 minutes. I don't have any cron jobs scheduled, and it has not done that…
sybind
  • 327
  • 1
  • 4
  • 14
0
votes
1 answer

Have I Just Been Hacked? (Intrusion Alert, Known Hacker's Email is Marked as Recipient for an Email in Thunderbird)

I'm a product creator, and in attempt to track and stem my losses from piracy, I occasionally visit a bulletin board dedicated to piracy and piracy-for-profit; my products are regularly pirated and sold there. When visiting, I often get intrusion…
tim
  • 1
  • 1
0
votes
1 answer

How Does Cisco IPS Work?

How does it work? Does it typically have predefined patterns of trusted or malicious activity? Is it actually a category of firewall techniques? I am more curious about Cisco than I am about other products..
700 Software
  • 2,233
  • 10
  • 49
  • 77
0
votes
1 answer

Windows: Audit/View logins from remote networks?

i want to audit remote connection attempts to a Windows 2003 Server. i've changed the group policy to show logon successes and failures: >gpedit.msc Local Computer Policy Computer Configuration Windows Settings Security Settings …
Ian Boyd
  • 5,293
  • 14
  • 60
  • 82
0
votes
2 answers

AWS EC2: How to determine whether my EC2/scalr AMI was hacked? What to do to secure it?

(See update below) I received notification from Amazon that my instance tried to hack another server. there was no additional information besides log dump: Original report: Destination IPs: Destination Ports: Destination URLs: Abuse Time: Sun May…
Niro
  • 1,401
  • 4
  • 20
  • 36
0
votes
0 answers

OSSEC False Positive? Integrity Checksum Changed Again 3rd Time

I am concerned about an integrity checksum change message from OSSEC. I haven't seen this particular message before in the five years since this server has been running (not that I examine these messages closely after the initial period of the…
bxk-2596
  • 1
0
votes
1 answer

Detecting database breach

I wonder about detecting database breach. Currently, I use auditd to detect making database dump with mysqldump. I wonder what more can I do to detect potential database breach. Thanks for any ideas!
Miłosz Ryćko-Bożeński
  • 11
0
votes
0 answers

Suspicious USB activity on a server

I'm working in a sysadmin team. We manage several servers. All of them are runing Debian (various releases). They are located in a locked cabinet in a datacenter. Recently I've added logcheck on our servers and I begun tuning the exclude lists of…
jlecour
  • 256
  • 3
  • 6
1 2
3
4