Re: Hacked - is it my turn?

To: Nick Boyce <nick@glimmer.demon.co.uk>
Cc: debian-security@lists.debian.org
Subject: Re: Hacked - is it my turn?
From: Alvin Oga <aoga@ns.Linux-Consulting.com>
Date: Mon, 2 Feb 2004 21:35:13 -0800 (PST)
Message-id: <[🔎] Pine.LNX.3.96.1040202212847.16635A-100000@Maggie.Linux-Consulting.com>
In-reply-to: <[🔎] kb8u1018q2s5h09e0m2vcfa1menfkhangr@4ax.com>

hi ya nick/jim

On Tue, 3 Feb 2004, Nick Boyce wrote:

> On Mon, 2 Feb 2004 18:28:31 -0800 (PST), Alvin Oga wrote:
> 
> >On Mon, 2 Feb 2004, Johannes Graumann wrote:
> >
> >> > > Checking 'bindshell'... INFECTED [PORTS:  1524 31337]
> >> At this point I believe to be able to attribute this to portsentry
> >> running - '/etc/init.d/portsentry stop' makes it go away,
> >
> >odd that portsentry does that... oh welll ... 
> 
> Um, no - I believe that's not odd at all - because Port Sentry's
> method is to listen on every conceivable port so that it can detect
> inbound connection attempts. 

and given that portsentry supposed to watch all ports,
i'm curious why only 1524 shows up and not a random selection
of one of 64K port or whatever reason it uses 1524 is okay

and the original poster shows/reaffirms another reason NOT
to run portsentry :-0  .. a lot of "false positives" but 
a good learning experience and results in tighten the security
policy before a real crack occurs
	- i do run logcheck .. but not portsenty :-0

and i dont like any port scan detectors running, it'd be pointless
esp if one gets xxx scans per hour coming from where ever
	( consider it a free audit via port scan )

c ya
alvin

Reply to:

References:
- Re: Hacked - is it my turn?
  - From: Nick Boyce <nick@glimmer.demon.co.uk>

Prev by Date: Re: Hacked - is it my turn?
Next by Date: Re: strange sftp behaviour... man-in-the-middle?
Previous by thread: Re: Hacked - is it my turn?
Next by thread: Re: Hacked - is it my turn?
Index(es):
- Date
- Thread