Re: Newbie and scan attack

To: <debian-user@lists.debian.org>
Cc: "DSC Siltec" <dscpubl@siltec.lt>
Subject: Re: Newbie and scan attack
From: "afj" <afjcdl@yahoo.co.uk>
Date: Thu, 25 Apr 2002 18:01:20 +0200
Message-id: <[🔎] 00d201c1ec72$7354d1d0$4f1014ac@ADAM>
References: <[🔎] 3CC82412.9EEA80AD@siltec.lt>

to the best of my knowledge the services you mentioned are almost all
passive.
even those like htdig shouldn't generate this sort of behaviour.

there are many others which could : nmap, amap, pnscan to name a few

----- Original Message -----
From: "DSC Siltec" <dscpubl@siltec.lt>
To: <debian-user@lists.debian.org>
Sent: Thursday, April 25, 2002 5:43 PM
Subject: Newbie and scan attack


> I have a bit of a problem:  I just installed Woody on
> a dual-boot box, got KDE and all up and running, and
> very soon found that I was losing my connection.
>
> I inquired as to why, and I was told I was being cut off
> because my computer was scan-attacking the ISP proxy server.
>
> One scan attack attacked my proxy server's proxy port, from 1031,1032,
> 1033,1034, 1035...  and expired about 8 minutes later.
>
> Anyhow, I had a bunch of junk on the system that I probably
> didn't need -- portmap, htdig, roxen, wwwoffled, and apache are a few
> of the items -- and I went ahead and removed them.  Others, like lpd, I
> don't know how to remove. When I ran netstat -punta, with my network
> disconnected,
> I found a bunch of reports from htdig (open/close).
>
> I'm wondering if that was the source of the problem, or if I have
> been taken over by a remote operator, and how I can clean, then secure,
> my
> system.
>
> Is there anything that hit this particular list server, specifically
> (also),
> because I had been a subscriber -- and every so often a piece of trash
> mail
> comes through, and it makes me wonder if there was some kind of an
> automated
> virus that hit me.
>
> Aside from that, other things I noticed:  getty runs tty2-tty6 (Bash
> runs tty1) whenever I have K running -- and I wonder if that is perhaps
> initiating the attack; I also see miniserv.pl, and proftpd; I wonder if
> I need those.
>
> klisa and inetd both also make internet accesses.  When I run netstat
> -nlp, I see that ksmserver is listening, artsd, and ssh-agent are also
> running.  So are my truetype servers Xfs,Xfs-xtt, and the X server, lpd,
> and KDEinit.
>
> I also have a windows system -- and, sometimes using the same network
> connection [manual plug-over] a macintosh, and it is possible that the
> attacks were coming through one of those.  But the Windows system has a
> good firewall "ZoneAlarm" that I can use and understand [I don't yet
> understand the Linux one] and McAfee antivirus with autoupdate.
>
>
> When you reply, please cc: me at dscpubl@siltec.lt.  I nominally removed
> myself from the list server -- it doesn't seem to have worked, but it
> might remove me at any time.
>
>
> --
> To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>



_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com



-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: Newbie and scan attack
  - From: DSC Siltec <dscpubl@siltec.lt>

References:
- Newbie and scan attack
  - From: DSC Siltec <dscpubl@siltec.lt>

Prev by Date: kdm [] XFree86 [XF86Config-4]
Next by Date: replacement for ical?
Previous by thread: Newbie and scan attack
Next by thread: Re: Newbie and scan attack
Index(es):
- Date
- Thread