Re: Hacked - is it my turn?
hi ya nick/jim
On Tue, 3 Feb 2004, Nick Boyce wrote:
> On Mon, 2 Feb 2004 18:28:31 -0800 (PST), Alvin Oga wrote:
> >On Mon, 2 Feb 2004, Johannes Graumann wrote:
> >> > > Checking 'bindshell'... INFECTED [PORTS: 1524 31337]
> >> At this point I believe to be able to attribute this to portsentry
> >> running - '/etc/init.d/portsentry stop' makes it go away,
> >odd that portsentry does that... oh welll ...
> Um, no - I believe that's not odd at all - because Port Sentry's
> method is to listen on every conceivable port so that it can detect
> inbound connection attempts.
and given that portsentry supposed to watch all ports,
i'm curious why only 1524 shows up and not a random selection
of one of 64K port or whatever reason it uses 1524 is okay
and the original poster shows/reaffirms another reason NOT
to run portsentry :-0 .. a lot of "false positives" but
a good learning experience and results in tighten the security
policy before a real crack occurs
- i do run logcheck .. but not portsenty :-0
and i dont like any port scan detectors running, it'd be pointless
esp if one gets xxx scans per hour coming from where ever
( consider it a free audit via port scan )