Re: Can anyone help me ID who is trying to hack my system?

To: Alderbrook <joybrad@sisqtel.net>
Cc: debian-security@lists.debian.org
Subject: Re: Can anyone help me ID who is trying to hack my system?
From: enyc@eeek.org.uk
Date: Wed, 8 Oct 2003 00:18:43 +0100 (BST)
Message-id: <[🔎] Pine.LNX.4.56.0310072359000.2196@eeek>
In-reply-to: <[🔎] 3F7E2643.DA84A835@sisqtel.net>
References: <[🔎] 3F7E2643.DA84A835@sisqtel.net>

> Can anyone help me identify who is trying to get into my system?
> 9/1/03 7:14:32 PM Deny unknown 1080 TCP 64.222.178.231 64.222.178.231
> 9/1/03 7:14:32 PM Deny unknown 5490 TCP 64.222.178.231 64.222.178.231
> 9/1/03 7:14:32 PM Deny unknown 6588 TCP 64.222.178.231 64.222.178.231
> 9/1/03 7:14:32 PM Deny unknown 3128 TCP 64.222.178.231 64.222.178.231
> 9/1/03 7:14:32 PM Deny Web Sharing 80 TCP 64.222.178.231 64.222.178.231
Erm, reciept of the types of packets shown above is by NO means to be
 considered evidence that somebody is trying to ''hack'' (preusmably you
 mean 'break into') your system.

The port numbers you have shown suggest very-much looking for open
 proxy-servers -- port 1080 is SOCKS server port, port 6588 (iirc) is some
 windoze-based proxy-server-port, port 3128 is the 'squid' proxy servers
 port, port 80 (web service port) is used by some proxy servers!
As in -- proxy servers that will not only "proxy" requests on behalf of a
 local LAN, but also "proxy" requests on behalf of anybody/internet!

There are 3 main reasons these 'connection attempts' could be happening,
 afaik:-
Reason 1: You have connected to a server (particuarly an IRC server) which
           deliberately "reverse probe" the connecting-IP-addres to check
           the IRC connection is *not* coming from an 'open proxy  server'
           (i.e. to reduce spam/annoying users being 'hard to catch'
           etc.).  You should try to connect to servers you use
           (particuarly IRC servers) and watch your firewall logs!

Reason 2: Your ISP is probing you to check you are not running 'dangerous'
           open proxies or services they don't want running in their
            network!

Reason 3: A spammer is hunting out open-proxy-servers (probably across
           thousands and thousands of IP addresses!).

Basically, I doubt anybody is trying to 'hack' into your system as such!
If this traffic is being DENY'ed then its not doing you any harm. You
should not by any means be disturbed by unexpected traffic at any low
rates. Only if you abeing hit by tons and tons of packets should you be
concerned about this, and you should NOT take the 'source' IP address
given in your logs as 'absolute truth' as it can be faked ('spoofed') in
attack-scenarios!

You should be much more concerned about what services you DO allow
 connections to and what traffic/transactions is occuring on them!

> 10/1/03 6:45:37 PM Deny Windows file sharing 139 TCP 216.66.31.196
> 216.66.31.196

I get windows-filesharing (netbios-over-tcp/ip) 'nonsense traffic' all the
 time.. It seems to be normal really, to be honest! Ignore it!
You are likely to see lots of DENY's aimed at 'port 135' TCP (to do with
 windoze RPC (remote procedure call) to do with viruses (like m$blast)
 that infect 3vil windoze comptuers!

P.s. -- ?what program or debian-package are you getting these firewall log
          messages from -- they don't look like linux 'dmesg' errors?!

-enyc <enyc@eeek.org.uk>

Reply to:

References:
- Can anyone help me ID who is trying to hack my system?
  - From: Alderbrook <joybrad@sisqtel.net>

Prev by Date: Re: crontab failure for daylight savings
Next by Date: How efficient is mounting /usr ro?
Previous by thread: Re: Can anyone help me ID who is trying to hack my system?
Next by thread: crontab failure for daylight savings
Index(es):
- Date
- Thread