[lug] Interesting Crash Report
Scott A. Herod
herod at interact-tv.com
Wed Mar 21 10:08:42 MST 2001
Hello,
In defense of the people who have machines making the port scans,
I'm willing to bet that a majority of them have been hacked themselves.
Sometimes a polite note to the machine owner and their ISP is the
best way to respond to such portscans.
Scott
"D. Stimits" wrote:
>
> Brad Doctor wrote:
> >
> > I think there may be more to this than just your machine. I have 47 active
> > threats at present, from all over the world. Most of them appear to be
> > hacked linux boxes (ssh on odd ports), and all of them are port
> > scanning. I automatically deny them, but cannot share that code :(
>
> When I think a packet is more than a scan, possibly an actual attempt at
> something, I usually test their ftp and httpd, to find out what they are
> running for comments. About 90% of the attackers run redhat, a
> significant number run SuSE, and a smaller part either run FreeBSD or
> can't be determined by simple means. What I find hilarious is that
> someone who is willing to try their scripts still is too dumb to block
> off their own more obvious ports. In any case, usually the machine gives
> up its name and o/s for my logs. Some can be more annoying, since after
> I change my ip (dialup), it isn't unusual to see them back within
> seconds (and sometimes with their own change of ip). If I'm able to
> verify it is the same machine more than once, I turn them over to their
> ISP (this helps with American ISP's, it does almost nothing in many
> outside countries).
>
More information about the LUG
mailing list