New Zealand ADSL Mailing List


RE: scans for pc anywhere anyone?

From: rob.edkins_at_axon.co.nz
Date: Wed, 4 Apr 2001 08:28:45 +1200
Message-ID: <42CCA0F98530D111A77900805F0D52B3024B6910@ax-akl-exchange.axon.co.nz>

 Mark Evans wrote:
>
> from mon thru wed last week (mar 26-28) someone
> in nz adsl space (ie 210.55.x.x) repeatedly probed
> port 5362 (pc anywhere) on my external adsl link.
>
> they didn't get anywhere coz the firewall wasn't
> interested, but the ids fired off on it.
>
> anyone else see any evidence of someone apparently
> trying to find some pc anywhere equipped system
> (read vulnerable) in nz adsl space? if this person
> is successful of course they can have a field day
> with the target!
>
> i don't intend to hassle telecom with it, but am
> interested in corroboration.
>

Unfortunately such door-knocking is a fact of life if you're connected to
the Internet
and have a static IP.

There's not a lot you can do about it other than look out for it.

An attacker can mask their origin so that you may never really know the true
source of a
scan

(If you're running Linux, then try Snort IDS from snort.org. It has a VERY
comprehensive list of attack signatures.)

There has been an endless thread raging on the firewalls mailing list about
the ethics of

port scans per se..

Opinions range from 'I'm perfectly entitled to probe a machine connected to
the public internet to
see what services it offers...' to 'anybody scanning me must ipso facto be a
vicious criminal and
should have their major organs removed'

At least one previous poster to this list claimed that using the PCA clinet
to scan his ISP's subnet
was the only way to locate his remote machine when the IP changed after an
outage.
(and he helpfully recommended that the owners of several other machines he'd
connected to
inadvertantly set some passwords!)

Personally, I think that while a scan doesn't necessarily prove malicious
intent,
at the very least it's bad manners and may well contravene the ToU agreement
the
perpetrator has with their ISP.

(NB.. I'm differentiating here between simple port footprinting and actual
attempted exploits
like DDoS clients, CGI exploits or sendmail hacks...its a pretty certain bet
that if you get
one of those then somebody's after something!)

One side effect of the NAT on the Nokias is that unless you pinhole
everything through to an internal logging firewall then most people won't
even see a large percentage of the stuff that is actually going on every
day.

Rob

This message is part of the NZ ADSL mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
To unsubscribe: send mail to majordomo@unixathome.org
with "unsubscribe adsl" in the body of the message
Received on Wed Apr 4 08:28:57 2001


This archive was generated by hypermail 2.2.0 : Thu Nov 30 11:48:10 2006 EST