New Zealand ADSL Mailing List


Re: scans for pc anywhere anyone?

From: Craig Whitmore <lennon_at_orcon.net.nz>
Date: Wed, 4 Apr 2001 10:35:42 +1200
Message-ID: <004e01c0bc8e$6b05e420$6d0e37d2@orcon.net.nz>

At the moment (after someone finding a LPR bug) over the last 3-4 days there
has been Lots (lots = scanning entire B Class Networks) of scans of port
515!
Be aware people. We have a network printer and over this period it has been
outputting lots of crap each time someone scans our network :-)

Thanks
Craig Whitmore
Orcon Internet

----- Original Message -----
From: "Mark Evans" <Mark.Evans@Optimation.co.nz>
To: <adsl@unixathome.org>
Sent: Wednesday, April 04, 2001 9:33 AM
Subject: RE: scans for pc anywhere anyone?

> > From: rob.edkins@axon.co.nz [mailto:rob.edkins@axon.co.nz]
> > Subject: RE: scans for pc anywhere anyone?
> >
> > Unfortunately such door-knocking is a fact of life if you're
> > connected to the Internet and have a static IP.
> >
> > There's not a lot you can do about it other than look out for it.
>
> i concur.
>
> i want corroboration for another reason. i'm involved in
> analysis of 'attacks' from a theoretical perspective. i
> was hoping someone else could check their logs for this
> period and find the same scan. two seperate sources of
> such info provides such corroboration
>
> > An attacker can mask their origin so that you may never
> > really know the true source of a scan
>
> except in this case they prolly didn't. it is unlikely
> (tho' far from impossible) that they would go to the
> effort of picking an address adjacent to mine. whilst
> they don't need to do a 3-way handshake to find out if
> i've got the port open they would to actually use pc
> anywhere (or whatever). this would make a spoofed source
> address much less likely.
>
> > (If you're running Linux, then try Snort IDS from snort.org.
> > It has a VERY comprehensive list of attack signatures.)
>
> i run snort already as one of the ids' on my net.
>
> > There has been an endless thread raging on the firewalls
> > mailing list about the ethics of port scans per se..
>
> we'll leave the rage there then :-)
>
> > At least one previous poster to this list claimed that using
> > the PCA clinet to scan his ISP's subnet was the only way to
> > locate his remote machine when the IP changed after an outage.
>
>
> > One side effect of the NAT on the Nokias is that unless you pinhole
> > everything through to an internal logging firewall then most
> > people won't even see a large percentage of the stuff that is actually
> > going on every day.
>
> which for most is prolly what they would prefer.
>
>
> and.....
>
> > From: Tom Parker [mailto:tom@carrott.org]
> > Sent: Wednesday, April 04, 2001 1:39 AM
> > To: Craig Whitmore
> > Subject: Re: scans for pc anywhere anyone?
>
> > I get people knocking on my machine regularly, a few a day
> > usually. I don't bother even to reverselookup the ips most
> > of the time, but I guess I should automate it and email the
> > results to myself.
>
> my internal ids (rather than the noisier external one) emails
> me at home and work re alerts. if this one fires then it's either
> a false positive that i'll try to tune out, or it means that
> someone has got past both my firewalls (yees they are different
> types) and i should be concerned! yes i could be sort of dos'd
> by this - but i've got some s/w after the event that's set to
> reduce this.
>
> would you (and anyone else who keeps logs) just check for the may
> 27-29 period for this specific attack
>
>
> and.....
>
> for those who asked me to email the source address i will do so
> off list. the address changed half way thru the scan (power
> cycle?) - so i'll provide the date/time info also.
>
> cheers
>
> --
> me - mark evans - optimation.co.nz
> "thats the problem with blue green planetoids,
> they're blue, green and planetoidy"
>
> This message is part of the NZ ADSL mailing list.
> see http://unixathome.org/adsl/ for archives, FAQ,
> and various documents.
> To unsubscribe: send mail to majordomo@unixathome.org
> with "unsubscribe adsl" in the body of the message
>

This message is part of the NZ ADSL mailing list.
see http://unixathome.org/adsl/ for archives, FAQ,
and various documents.
To unsubscribe: send mail to majordomo@unixathome.org
with "unsubscribe adsl" in the body of the message
Received on Wed Apr 4 10:36:54 2001


This archive was generated by hypermail 2.2.0 : Thu Nov 30 11:48:10 2006 EST