No matching connection for ICMP error message: icmp src inside: X.X.X.98 dst outside: X.X.X.11 (type 3, code 2) on inside interface. Original IP payload: udp src X.X.X.11/53 dst X.X.X.98/52906.
Can somebody please help me understand the cause.
If i move a file from an non-hidden encrypted drive to my main C drive, then move the original file to a hidden container on the encrypted drive, then wipe the original file with ccenhancer/secure erase, is that doing enough to ensure the original location isnt Knowles? Or does windows log moved files by default and someone could tell if the copied file came from the encrypted drive? Additionally, do softwares like ccenhancer/secure erase remove "recently viewed" logs from applications in case they are opened from either hidden or non hidden volume?
I’m getting regular attacks
2020-07-29 14:44:42 Security Warning Intrusion -> SRC=220.127.116.11 DST=18.104.22.168 LEN=40 TOS=0x00 PREC=0x00 TTL=235 ID=63607 PROTO=TCP SPT=52363 DPT=1433 WIN
it’s every 10 mins as I can see
I changed wifi password and made it hidden AP and the attacks still coming.
I even disconnected all devices and the logs keep getting this attack
Should I be worried?
2020-07-29 14:54:05 Security Warning Intrusion -> SRC=22.214.171.124 DST=126.96.36.199 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=40337 PROTO=TCP SPT=42068 DPT=3378 WINDO
Which hacking tool makes a request and does not show up on web-server logs?
/en/latest/ has been requested over 116, we don’t have this URL on the website at all!
The request to that URL does not show up on web-server logs but I setup google analytics to track ad-blockers by loading the script on a different URL that ad-blockers don’t know . But ever since i setup this google analytics it has trapped lots of hacking request on none existing URL?
How comes google analytics captures the request(The Hackers don’t actually know) and the request seems not reach the web-server because no logs are shown?
The thing is there is a deliberate request to none existing URL, that don’t show up on web-server logs, but my secrete google analytic scripts captures the URL
I’m using Splunk to try to detect multiple Windows login sessions by a single user, as an indicator of compromise. However, I’m not sure how to go about this – I can ingest workstation logs (events 4624/4634) and look for a large discrepancy between logins and logouts (indicating a high number of sessions) in the workstation logs, but there’s a few problems.
First, a discrepancy between logins and logouts does not necessarily indicate compromise, it’s (relatively) normal for a user to be logged in to multiple devices at once. Secondly, login/logout events are generated for a user unlocking their computer, but are not generated for a user locking/sleeping their machine.
Is there an elegant solution for this? Even if there isn’t – is there an agreed-upon list of Windows event IDs I should track to develop a better picture of high login sessions? Thanks!
I am not very knowledgeable about IIS 7, so I thought this was the right place to ask.
While inspecting the web server logs, I came across several instances of separate records that look just the same. For example:
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken 2020-04-21 00:00:10 ABC.128.138.15 GET /MY/API/HERE departmentId=&prodLineId=&prodUnitId=&puGroupId=&FLId=null&startTime=2019-09-08T21:00:00.000Z&endTime=2019-09-09T21:00:00.000Z&status=null&itemType=&itemComponent=&howFound=&priority=&foundBy=&fixedBy=&flList= 80 - ABC.128.138.15 Apache-HttpClient/4.5.6+(Java/1.8.0_92) - 200 0 0 1453 2020-04-21 00:00:10 ABC.128.138.15 GET /MY/API/HERE departmentId=&prodLineId=&prodUnitId=&puGroupId=&FLId=null&startTime=2019-09-08T21:00:00.000Z&endTime=2019-09-09T21:00:00.000Z&status=null&itemType=&itemComponent=&howFound=&priority=&foundBy=&fixedBy=&flList= 80 - ABC.128.138.15 Apache-HttpClient/4.5.6+(Java/1.8.0_92) - 200 0 0 1453
The question is – do those records correspond to two actual separate requests, or perhaps it was just one that for some reason got duplicated? This is not an isolated occurrence (there are hundreds more). Just for the record, these are all GET requests coming from the same source (an Apache Tomcat-based application that resides in the same web server and is invoking APIs in different application pools).
Thanks in advance,
When I’m investigating systems, the SMB client logs are a good place to tell me if a baddie tried mapping/navigating network shares and they often outlive the security logs.
Does anyone know a good reference to find out what exactly the codes mean? Such as event IDs? I tried Google and have not had much luck.
30805 30808 30800 30811 etc.
I am receving logs on UDP 514 from another server and i have configured rsyslog.conf to save the logs to another custom directory but i am unable to do so, i confirmed through tcpdump logs are getting on 514 but not getting saved. Any thing i’ve missed?
Here’s the config i’ve made in rsyslog.conf
$ umask 0000 # ownership and permissions $ FileOwner punk $ FileGroup punk $ FileCreateMode 0640 $ DirCreateMode 0755 # save that when possible $ PreserveFQDN on # local ruleset (to control local syslogging) $ RuleSet local $ template CustomFormat,"%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" $ ActionFileDefaultTemplate CustomFormat $ template prod1,"/ab/cs/edl/172.x.x.x/%$ now%.log" if $ fromhost-ip == '172.x.x.x' then ?prod1
When securing my device (ubuntu) I noticed strange ufw logs. I am behind a router which should be blocking these kinds of requests? I realise these are using port 443 but I was under the impression that my outgoing connections to a website shouldn’t produce incoming connections to me.
[UFW BLOCK] IN=wlp1s0 OUT= MAC=b0:fc:36:e0:0f:2d:2c:30:33:34:bf:32:08:00 SRC=188.8.131.52 DST=<my ip> LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=0 DF PROTO=TCP SPT=443 DPT=43648 WINDOW=0 RES=0x00 RST URGP=0
I want to copy data of binary file to .txt file
[ec2-user@ip-172-31-28-70 mysql]$ sudo mysqlbinlog tajamul.000006 > /var/www/tajamul.txt
It give me the following error.
-bash: /var/www/tajamul.txt: Permission denied
Can anyone help me, how to copy binary file data to txt file?