Re: I've been getting scanned...

To: Paul Wright <paul@cvanet.com>
Cc: <debian-user@lists.debian.org>
Subject: Re: I've been getting scanned...
From: John Galt <galt@inconnu.isu.edu>
Date: Sat, 26 May 2001 18:08:59 -0600 (MDT)
Message-id: <[🔎] Pine.LNX.4.32.0105261758550.2066-100000@inconnu.isu.edu>
In-reply-to: <[🔎] 153iyY-3mp-00@j001.june.net>

On Sat, 26 May 2001, Paul Wright wrote:

>Hi all,
>
>Someone's been port-scanning me, checking only some high ports. Here are
>my relevant log entries:
>
>
>May 26 13:39:30 j001 ippl: port 37397 connection attempt from 216.136.179.238
>May 26 13:43:03 j001 ippl: port 37404 connection attempt from 216.136.179.238
>May 26 13:43:06 j001 ippl: port 37404 connection attempt from 216.136.179.238
>May 26 13:45:55 j001 ippl: port 37406 connection attempt from 216.136.179.238
>May 26 13:45:58 j001 ippl: port 37406 connection attempt from 216.136.179.238
>May 26 13:47:10 j001 ippl: port 37408 connection attempt from 216.136.179.238
>May 26 13:49:30 j001 ippl: port 37412 connection attempt from 216.136.179.238

If this annoys you, take a trip into non-free and install portsentry:
they'd have been blackhole routed about a quarter till 2 (the fifth hit,
which is the most liberal setting worth a hoot, happened at 13:45...)

>Does anyone know what they may be looking for in that range?

Back Orifice used a 31000+ port from what I remember, NetBus did as
well...  Most trojans use 30000+ ports so they don't set off as many
alarms...

>Does anyone know of a good reference for info (vulnerabilities sorted by
>port, service, etc)?

insecure.org (the makers of nmap)
whitehats.com (arachNIDS)
securityfocus.com (of course)

>Does anyone how I can find out who/where/what-domain or host is using that
>ip?

whois
dig
nslookup
host
finger (who knows, maybe they just don't get it...)

If you have no qualms about looking like you're trying to break in,
nmap
queso
strobe

>Thanks in advance for any help / advice.
>
>
>

-- 
	A novice of the temple once approached the Chief Priest with a
question.
	"Master, does Emacs have the Buddha nature?" the novice asked.
	The Chief Priest had been in the temple for many years and could be
relied upon to know these things.  He thought for several minutes before
replying.
	"I don't see why not.  It's got bloody well everything else."
	With that, the Chief Priest went to lunch.  The novice suddenly
achieved enlightenment, several years later.

Commentary:

His Master is kind,
Answering his FAQ quickly,
With thought and sarcasm.

John Galt (galt@inconnu.isu.edu)

Reply to:

Follow-Ups:
- Re: I've been getting scanned...
  - From: Carl Fink <carlf@nitpicking.com>

References:
- I've been getting scanned...
  - From: Paul Wright <paul@cvanet.com>

Prev by Date: Re: line numbers in code
Next by Date: Re: LAME not included in Debian
Previous by thread: Re: I've been getting scanned...
Next by thread: Re: I've been getting scanned...
Index(es):
- Date
- Thread