On Fri, Oct 03, 2003 at 06:45:39PM -0700, Alderbrook wrote: > Can anyone help me identify who is trying to get into my system? > They aren't trying to hack your system. They're just scanning for open proxy ports that they can abuse. This is the sort of issue that, if you run machines on the internet for long, you'll quickly come to realize is entirely routine and really not worth bothering with. I see many open proxy scans on a regular basis. If you're not running a badly configured proxy server, they're not going to do anything. noah > 10/1/03 6:45:25 PM Deny unknown 57 TCP 216.66.31.196 216.66.31.196 > 10/1/03 6:45:24 PM Deny unknown 57 TCP 216.66.31.196 216.66.31.196 > 10/1/03 6:45:23 PM Deny unknown 57 TCP 216.66.31.196 216.66.31.196 > 10/1/03 6:45:22 PM Deny unknown 57 TCP 216.66.31.196 216.66.31.196 I'm not actually sure what these are, but you're denying the connection attempts, so really, it's not anything to worry about. More noise. If you see repeated or unusual connections to a service that you run, then you should pay close attention. People can bang on closed ports all day and never get anywhere. If people were actually trying to break in to your system, there wouldn't be any reason for them to keep trying to connect to these closed ports. You should see the accounting logs on the routers where I work. We lit a /24 that had been dormant since basically the beginning of time, and saw the scans start up immediately. People had, of course, been scanning that block all along, but there simply hadn't been anything there. If you still do feel like tracking down the owner of the machine on the other end of these connections, try using whois to query ARIN's database to track down the owner of the network that they're on. http://www.arin.net/ will provide you with some more information. noah
Attachment:
pgpWnxeYL1Z8I.pgp
Description: PGP signature