[lug] Interesting Crash Report

D. Stimits stimits at idcomm.com
Tue Mar 20 21:24:27 MST 2001

Brad Doctor wrote:
> I think there may be more to this than just your machine.  I have 47 active
> threats at present, from all over the world.  Most of them appear to be
> hacked linux boxes (ssh on odd ports), and all of them are port
> scanning.  I automatically deny them, but cannot share that code :(

When I think a packet is more than a scan, possibly an actual attempt at
something, I usually test their ftp and httpd, to find out what they are
running for comments. About 90% of the attackers run redhat, a
significant number run SuSE, and a smaller part either run FreeBSD or
can't be determined by simple means. What I find hilarious is that
someone who is willing to try their scripts still is too dumb to block
off their own more obvious ports. In any case, usually the machine gives
up its name and o/s for my logs. Some can be more annoying, since after
I change my ip (dialup), it isn't unusual to see them back within
seconds (and sometimes with their own change of ip). If I'm able to
verify it is the same machine more than once, I turn them over to their
ISP (this helps with American ISP's, it does almost nothing in many
outside countries).

> -brad
> At 08:33 PM 3/20/2001 -0700, D. Stimits wrote:
> >Deva Samartha wrote:
> > >
> > > >  I've denied about two dozen
> > > >/24 domains just because I dislike seeing anything hit port 111 (the
> > > >first packet gets them blocked).
> > >
> > > That's really neat, if possible, would you mind sharing how you do that -
> > > or name the software packages you use?
> > >
> > > Thanks,
> > >
> > > Samartha
> > >
> >
> >John Starkey already gave the automated method, portsentry. I tend to
> >use tail -f on /var/log/messages while connected, and have a separate rc
> >file I list bans in. I just add the /24 by hand; with others there, I
> >just copy and paste then substitute the ip address in ipchains rules. So
> >I guess my app is vi :P
> >
> >Actually, I would say being paranoid about what my firewall logs and
> >reading it quickly/acting on it is the number one tool.
> >
> >D. Stimits, stimits at idcomm.com
> >_______________________________________________
> >Web Page:  http://lug.boulder.co.us
> >Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

More information about the LUG mailing list