Re: OT: port scan
On Tue, 28 Nov 2000, Pollywog wrote:
> On Tue, 28 Nov 2000 14:40:09 -0200 (EDT), Mario Olimpio de Menezes said:
>
> > One computer where I have Debian installed was scanned
> > recently. Someone probed several ports (~20), maybe trying to determine
> > the running OS (something like nmap does).
> > Do you think this *IS* an attack? I mean, should I report this
> > as *AN* attack?
>
> If someone scans several ports, I usually do report it to their ISP,
> sending them log excerpts that include the time they occurred and also my
> time zone as reported by my computer. The ISP would probably warn the
> customer and even terminate the customer's account if they believe the
> customer was up to no good.
>
> I usually do not report attempts to connect to single ports.
You might want to keep in mind that scans of all ports are often just
general curiosity about what kind of stuff a computer is being used for,
while scans of a single port (on every machine in your subnet) is often
someone looking for a machine vulnerable to a *particular* exploit. So
I'd say don't ignore the single-port scans. They are as (or more)
serious.
Of course, a connection to a single port on a single machine is probably
just some idiot who mistyped an IP address....
Damian Menscher
--
--==## Grad. student & Sys. Admin. @ U. Illinois at Urbana-Champaign ##==--
--==## <menscher@uiuc.edu> www.uiuc.edu/~menscher/ Ofc:(217)333-0038 ##==--
--==## Physics Dept, 1110 W Green, Urbana IL 61801 Fax:(217)333-9819 ##==--
Reply to: