[lug] Interesting Crash Report

Scott A. Herod herod at interact-tv.com
Wed Mar 21 10:08:42 MST 2001


In defense of the people who have machines making the port scans,
I'm willing to bet that a majority of them have been hacked themselves.
Sometimes a polite note to the machine owner and their ISP is the
best way to respond to such portscans.


"D. Stimits" wrote:
> Brad Doctor wrote:
> >
> > I think there may be more to this than just your machine.  I have 47 active
> > threats at present, from all over the world.  Most of them appear to be
> > hacked linux boxes (ssh on odd ports), and all of them are port
> > scanning.  I automatically deny them, but cannot share that code :(
> When I think a packet is more than a scan, possibly an actual attempt at
> something, I usually test their ftp and httpd, to find out what they are
> running for comments. About 90% of the attackers run redhat, a
> significant number run SuSE, and a smaller part either run FreeBSD or
> can't be determined by simple means. What I find hilarious is that
> someone who is willing to try their scripts still is too dumb to block
> off their own more obvious ports. In any case, usually the machine gives
> up its name and o/s for my logs. Some can be more annoying, since after
> I change my ip (dialup), it isn't unusual to see them back within
> seconds (and sometimes with their own change of ip). If I'm able to
> verify it is the same machine more than once, I turn them over to their
> ISP (this helps with American ISP's, it does almost nothing in many
> outside countries).

More information about the LUG mailing list