On Friday 22 November 2002 13:11, you wrote:
> Re: scanning by RR in their own address space
>
> I made a written note to myself, in my IDS at home I logged the
> following: (times EST, NTP synch'd)
>
> 6 Nov 05:00:39 from 24.30.199.228 attempt to port 1080 socks
> 6 Nov 05:18:51 from 24.30.199.228 attempt to port 3128 squid
> 6 Nov 06:31:39 from 24.30.199.228 attempt to port 8080 proxy
>
> I am in the 24.94.x.x. space. This source address, above, is the same as
> that described below, rev lookup to the same name.
>
> I get many other attempts at home from various 24.x.x.x addresses to port
> 80,
> less so to 445. By far the most attempts from _any_ source address, are to
> port 137,
> trying to resolve netbios name "CKAAAAA..." (this is just * followed by
> nulls).
> Many are coming from Poland now.
Ya, the most common scan is for 137. Lot of nice ms exploit possibilities from
there.
>
> I am also getting several attempts a day from 24.94.39.9 looking for
> several ports including 12345 and 27374, the subseven and netbus ports.
> I suspect it is a trojanized machine. It is near Rochester NY in the
> southern
> tier of NY, his workgroup is Capecci Wines/Tony Capecci but not findable in
> Google.
> Wonder how long it will take RR to discover this. ?? (...stny.rr.com)
It is a zombie machine and Capecci may even have indication that it is and not
want to do anything about it.
>
> I see as many as 15 to 20 different IPs most every day trying any of a
> dozen different
> ports. Again that's just at home. One that has really dropped off is port
> 111 the
> RPC portmapper port. Guess the haker3 have decided that no one on home
> connections runs unix. Ha.
Just for the heck of it, I following my iptables logs one evening and pinged
every host who scanned my box. Then did traceroutes on them. The activity
actually abated a bit after doing this.
>
> Bob Foxworth
>
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:06:59 EDT