Re: Confessions of a reluctant port scanner

To: Bruce Banner <bruc3_banner@yahoo.com>, Patrick Albuquerque <patrickq@mts.net>, debian-user@lists.debian.org
Subject: Re: Confessions of a reluctant port scanner
From: Bruce Banner <bruc3_banner@yahoo.com>
Date: Sun, 13 Jul 2003 19:48:38 -0700 (PDT)
Message-id: <[🔎] 20030714024838.54378.qmail@web21402.mail.yahoo.com>
In-reply-to: <[🔎] 20030714024229.81791.qmail@web21405.mail.yahoo.com>

Also, the target IP is slashdot's ip...
--- Bruce Banner <bruc3_banner@yahoo.com> wrote:
> It doesn't look like anything to worry about they
> are
> false positives leaving your network.  Your network
> is
> a private network 192.168.1.x and the false attacks
> are you hitting a dns probably your dns and your
> network hitting a website.  192.168.1 is a private
> network range that means they are unroutable on the
> public internet unless statically routed.  I would
> say
> they are false positives.  When running nmap run it
> on
> your eth0 interface as opposed to your loopback this
> can give different results.  check your home_net and
> dns server entries in snort.conf.  
> 
> 
> There is a script in cron.weekly that starts lpd
> once
> a week.
> --- Patrick Albuquerque <patrickq@mts.net> wrote:
> > Hello,
> > 
> > Anyone have an idea why I'm a portscanner?
> > I'm running unstable, dsl thru a router.
> > 
> > Some sample snort output:
> > 
> > [**] [117:1:1] (spp_portscan2) Portscan detected
> > from 192.168.1.1: 6
> > targets 6 ports in 19 seconds
> > [**]
> > 07/13-15:11:32.418841 192.168.1.1:32769 ->
> > 198.32.64.12:53
> > UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:71 DF
> > Len: 43
> > 
> > [**] [117:1:1] (spp_portscan2) Portscan detected
> > from 192.168.1.1: 6
> > targets 6 ports in 52 seconds
> > [**]
> > 07/13-15:25:53.462024 192.168.1.1:34869 ->
> > 66.35.250.150:80
> > TCP TTL:64 TOS:0x0 ID:45297 IpLen:20 DgmLen:60 DF
> > ******S* Seq: 0x51642A4F  Ack: 0x0  Win: 0x16D0 
> > TcpLen: 40
> > TCP Options (5) => MSS: 1460 SackOK TS: 1350334 0
> > NOP WS: 0
> > 
> > whois says these particular targets are 
> > 	OrgName:    Exchange Point Blocks
> > 	OrgName:    Cable & Wireless
> > and I have no connection to them AFAICT.
> > 
> > nmap localhost says:
> > Starting nmap 3.27 ( www.insecure.org/nmap/ ) at
> > 2003-07-13 20:25 CDT
> > Interesting ports on loopback (127.0.0.1):
> > (The 1618 ports scanned but not shown below are in
> > state: closed)
> > Port       State       Service
> > 22/tcp     open        ssh
> > 25/tcp     open        smtp
> > 53/tcp     open        domain
> > 111/tcp    open        sunrpc
> > 953/tcp    open        rndc
> > 
> > Also, every now and then, I notice lpd running.  I
> > don't have a printer,
> > and lpd is not in /etc/rc2.d
> > 
> > Sorry, but I'm pretty ignorant regarding
> > network/security issues.
> > 
> > Is it time to panic yet?
> > 
> > Thanks for any advice.
> > 
> > Patrick.
> > 
> > 
> > -- 
> > To UNSUBSCRIBE, email to
> > debian-user-request@lists.debian.org 
> > with a subject of "unsubscribe". Trouble? Contact
> > listmaster@lists.debian.org
> > 
> 
> 
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! DSL - Now only $29.95 per month!
> http://sbc.yahoo.com
> 
> 
> -- 
> To UNSUBSCRIBE, email to
> debian-user-request@lists.debian.org 
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> 


__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com

Reply to:

References:
- Re: Confessions of a reluctant port scanner
  - From: Bruce Banner <bruc3_banner@yahoo.com>

Prev by Date: Re: Confessions of a reluctant port scanner
Next by Date: Re: SSH: Corrupted MAC on input error - keeps recurring
Previous by thread: Re: Confessions of a reluctant port scanner
Next by thread: Re: Confessions of a reluctant port scanner
Index(es):
- Date
- Thread