- Web Scan sample 2
Example of web scan detected by ossec (looking for Wordpress, xmlrpc and awstats):¶
Web scan sample 4:¶
SSHD brute force:¶
Example of a SSHD brute force attack.
FTP Scan:¶
Example of FTP scan detected by monitoring MS FTP logs.
Multiple firewall denies on the Windows firewall:¶
Example of multiple firewall denies detected. .. code-block:: console
Received From: (ossec64) 192.168.2.25->Windowspfirewall.log Rule: 4151 fired (level 10) -> “Multiple Firewall drop events from same source.” Portion of the log(s):
2006-10-17 09:25:03 DROP UDP 192.168.2.190 192.168.2.255 137 137 78 - - - - - - - RECEIVE 2006-10-17 09:25:01 DROP UDP 192.168.2.190 192.168.2.255 138 138 229 - - - - - - - RECEIVE 2006-10-17 09:25:00 DROP UDP 192.168.2.190 192.168.2.255 137 137 96 - - - - - - - RECEIVE 2006-10-17 09:25:00 DROP UDP 192.168.2.190 192.168.2.255 137 137 96 - - - - - - - RECEIVE 2006-10-17 09:24:59 DROP UDP 192.168.2.190 192.168.2.255 137 137 96 - - - - - - - RECEIVE 2006-10-17 09:24:59 DROP UDP 192.168.2.190 192.168.2.255 137 137 96 - - - - - - - RECEIVE 2006-10-17 09:24:59 DROP UDP 192.168.2.190 192.168.2.255 137 137 96 - - - - - - - RECEIVE 2006-10-17 09:24:59 DROP UDP 192.168.2.190 192.168.2.255 137 137 96 - - - - - - - RECEIVE 2006-10-17 09:24:58 DROP UDP 192.168.2.190 192.168.2.255 137 137 96 - - - - - - - RECEIVE 2006-10-17 09:24:58 DROP UDP 192.168.2.190 192.168.2.255 137 137 96 - - - - - - - RECEIVE
—END OF NOTIFICATION
Multiple spam attempts:¶
Example of spam attempts detected (postix log analysis)
postfix/smtpd[6741]: NOQUEUE: reject: RCPT from unknown[201.82.55.24]: 503 <nplxfbtk@fbi.com>: Sender address rejected: Improper use of SMTP command pipelining; from=<nplxfbtk@fbi.com> to=<x@x.br> proto=SMTP helo=<ran-2h991bqbujq> postfix/smtpd[6741]: NOQUEUE: reject: RCPT from unknown[201.82.55.24]: 503 <nplxfbtk@fbi.com>: Sender address rejected: Improper use of SMTP command pipelining; from=<nplxfbtk@fbi.com> to=<x@xl.org.br> proto=SMTP helo=<ran-2h991bqbujq> postfix/smtpd[6741]: NOQUEUE: reject: RCPT from unknown[201.82.55.24]: 503 <nplxfbtk@fbi.com>: Sender address rejected: Improper use of SMTP command pipelining; from=<nplxfbtk@fbi.com> to=<y@y.org.br> proto=SMTP helo=<ran-2h991bqbujq> postfix/smtpd[6741]: NOQUEUE: reject: RCPT from unknown[201.82.55.24]: 503 <nplxfbtk@fbi.com>: Sender address rejected: Improper use of SMTP command pipelining; from=<nplxfbtk@fbi.com> to=<z@l.org.br> proto=SMTP helo=<ran-2h991bqbujq> postfix/smtpd[6741]: NOQUEUE: reject: RCPT from unknown[201.82.55.24]: 503 <nplxfbtk@fbi.com>: Sender address rejected: Improper use of SMTP command pipelining; from=<nplxfbtk@fbi.com> to=<a@slala.org.br> proto=SMTP helo=<ran-2h991bqbujq> postfix/smtpd[6741]: NOQUEUE: reject: RCPT from unknown[201.82.55.24]: 503 <nplxfbtk@fbi.com>: Sender address rejected: Improper use of SMTP command pipelining; from=<nplxfbtk@fbi.com> to=<b@l.org.br> proto=SMTP helo=<ran-2h991bqbujq> postfix/smtpd[6741]: NOQUEUE: reject: RCPT from unknown[201.82.55.24]: 503 <nplxfbtk@fbi.com>: Sender address rejected: Improper use of SMTP command pipelining; from=<nplxfbtk@fbi.com> to=<c@y.org.br> proto=SMTP helo=<ran-2h991bqbujq>
SQL Injection attempt detected:¶
Example of an SQL injection detected by ossec:
Internal system possibly compromised with IrnBot:¶
http://www.offensivecomputing.net/?q=node/378
==Multiple WordPress (blog) comment spam attempts==
Attempts to submit spammer comments to the ossec blog:
E-mail scan (vpopmail):¶
File system full:¶
Not really an attack, but a serious issue if your web server is out of space.
Custom SQL injection against ossec.net:¶
Someone trying our web application to display the latest rules. Of course, it didn’t work<br /> (but we return code 200 on all cases).
Application being installed:¶
An alert when an application is installed on Windows. Not always an attack, but may indicate a computer misuse.
Virtual machine being shut down:¶
By monitoring VMware ESX logs, you can get alerts when a virtual machine is stopped: