Re: Am I being attacked?

To: Bruce Perens <bruce@perens.com>
Cc: "debian-user@lists.debian.org" <debian-user@lists.debian.org>
Subject: Re: Am I being attacked?
From: Phil Brutsche <pbrutsch@tux.creighton.edu>
Date: Wed, 18 Jul 2001 12:42:46 -0500 (CDT)
Message-id: <[🔎] Pine.LNX.4.33.0107181230480.20819-100000@tux.creighton.edu>
In-reply-to: <[🔎] 20010718161609.134CB1C5F@perens.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

A long time ago, in a galaxy far, far way, someone said...

> The answer is probably yes, but do the following indicate script-kiddie
> probes? They are directed at portmap, lpr, and nmbd. I don't know why the
> ones on the smtp port were rejected. The .184 system is my router.

"Attacked" is a strong word for what you're seeing.

This is all basically a set of port scans of people looking for holes on
216.15.108.184.  They are all normal on today's internet, and (IMO) not
something to worry about unless the thing has been hacked.  Some of those
can also be explained away as:

 * A mistyped hostname or IP number
 * Someone or something relying on old info; you'll probably never know if
   someone else had a mail server at 216.15.108.184 at one point in time,
   for example

BTW, if this concerns you, you haven't seen the crap the firewall at work
gets - there isn't enough time in the day for me to track them all down
and try to complain.

BTW2: if you're *really* worried about someone trying something you might
want to consider snort - it's a IDS system based off a packet sniffer.
It'll help you tell the difference between someone just doing a connect()
sweep and someone who's making an effort go get in.

> Packet log: input DENY eth0 PROTO=6 216.103.219.35:17956 216.15.108.184:111 L=40 S=0x00 I=3466 F=0x0000 T=108 SYN (#10)
> Packet log: input DENY eth0 PROTO=6 202.66.169.18:4439 216.15.108.184:515 L=60 S=0x00 I=43201 F=0x4000 T=47 SYN (#10)
> Packet log: input DENY eth0 PROTO=17 216.187.75.24:137 216.15.108.184:137 L=78 S=0x00 I=18430 F=0x0000 T=114 (#10)
> Packet log: input DENY eth0 PROTO=17 216.187.75.24:137 216.15.108.184:137 L=78 S=0x00 I=18686 F=0x0000 T=114 (#10)
> Packet log: input DENY eth0 PROTO=17 216.187.75.24:137 216.15.108.184:137 L=78 S=0x00 I=18942 F=0x0000 T=114 (#10)
> Packet log: input DENY eth0 PROTO=6 210.101.105.16:3546 216.15.108.184:111 L=60 S=0x00 I=13241 F=0x4000 T=47 SYN (#10)
> Packet log: input DENY eth0 PROTO=6 4.60.161.230:1054 216.15.108.184:25 L=48 S=0x00 I=57801 F=0x4000 T=110 SYN (#10)
> Packet log: input DENY eth0 PROTO=6 4.60.161.230:1054 216.15.108.184:25 L=48 S=0x00 I=57847 F=0x4000 T=110 SYN (#10)
> Packet log: input DENY eth0 PROTO=6 4.60.161.230:1054 216.15.108.184:25 L=48 S=0x00 I=57880 F=0x4000 T=110 SYN (#10)
> Packet log: input DENY eth0 PROTO=6 209.10.200.83:2151 216.15.108.184:111 L=60 S=0x00 I=14138 F=0x4000 T=56 SYN (#10)
> Packet log: input DENY eth0 PROTO=6 210.178.232.1:4935 216.15.108.184:111 L=60 S=0x00 I=38311 F=0x4000 T=41 SYN (#10)
> Packet log: input DENY eth0 PROTO=6 64.65.56.45:1274 216.15.108.184:515 L=60 S=0x00 I=146 F=0x4000 T=46 SYN (#10)

- -- 
- ----------------------------------------------------------------------
Phil Brutsche				    pbrutsch@tux.creighton.edu

GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D  7E5E FD94 D264 50DE 1CFC
GPG key id: 50DE1CFC
GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Made with pgp4pine

iD8DBQE7Vcqf/ZTSZFDeHPwRAviRAJ96H1H64VBVnjaqKT/zGMekgyqAuACgsGep
CwvMki/+xi4grNj2GYjor3g=
=V2/9
-----END PGP SIGNATURE-----

Reply to:

Follow-Ups:
- Re: Am I being attacked?
  - From: Bill Wohler <wohler@newt.com>

References:
- Am I being attacked?
  - From: bruce@perens.com (Bruce Perens)

Prev by Date: Re: locatedb question
Next by Date: Quick mail delivery question
Previous by thread: Am I being attacked?
Next by thread: Re: Am I being attacked?
Index(es):
- Date
- Thread