On Mon, Jan 22, 2001 at 08:24:36AM -0600, Dave Ihnat wrote:
> On Mon, Jan 22, 2001 at 08:13:50AM -0500, Burke, Thomas G. wrote:
> > I've been noticing a _lot_ of scans against ports 21 & 111 in the last
> > couple of weeks. Do ya think this might be the result of the ramen worm?
> Those are standard ports for scans--yah, the frequency just went
> up a bit, so I figure somebody in the cracker warrens must have
> just posted or written an article about "common ports" or somesuch.
> Upswing in 21,23,111,515, with a smattering of others thrown in, and
> the ever-present 137 and 139. No consistent source to the probes,
> and not enough additional probes to raise alarm.
Ports 21 and 111 are characteristic of Ramen, which is a self
propagating worm attacking RedHat 6.2 and 7.0 systems. Some sites
are detecting floods of port 21 Syn requests as a result of infected
systems.
> Have fun with it. I have my box set up to notify me on-line when
> I'm logged in. Then, if it's a series--you know, they poke at
> 137,139,21,23,25, 110,111, etc. in some order from the same place--
> before I run my 'addbad' script to block everything from their IP address,
> I poke back at ports on their IP address with the same port order.
Be extremely cautious about doing that! The "ramen worm" is
certainly the cause for the increase in port 21 and 111 probes and
your counterprobe will have no influence on it, but there are other
scans going on out there that are different. If you counterprobe
a system back, you have just tipped of the scanner that 1) there is
a valid system at this address of interest and 2) that system is
running some sort of detections and countermeasures (making even more
interesting). That's often enough for one of these automated parallel
scanners to flag your address and log it as something interesting for
deeper, more personal investigation by the attacker himself.
In other words... Even by merely probing a system back that is
scanning your ports, you may end up getting some unwanted attention from
someone whom you would just as soon not know you even exist. Then you
have a problem.
My systems detect port scanning and simply shut down the firewall
to the scanner. My entire /19 address space goes dark and the automated
scanner leaves with the conclusion that there is nothing there. It
finds nothing to log and wanders on into the night. :-)
Food for thought.
> Their IP address usually suddenly disappears from the 'Net after the
> 2nd or third reverse port probe.
> Cheers,
> --
> Dave Ihnat
> [EMAIL PROTECTED]
Mike
--
Michael H. Warfield | (770) 985-6132 | [EMAIL PROTECTED]
(The Mad Wizard) | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
