Joshua Hirsh wrote:
>
> The information in the email pertaining to the user 'operator' was on the
> remote machine which had attempted to connect to Ben's portmap service.
>
> Because the remote machine had attempted the connection, a program on
> Ben's machine is setup to finger the remote account that is attempting the
> connection. In this case, it was the user operator on pts/1 and pts/2 on
> the remote machine.
>
can we surmise that the remote machine has been compromised sine
operator should not be logge into directly? BTW I like the thought
behind this sort of information. Ben what program generates these
emails? Athough haveing written that I get irritated enough with the
logcheck stuff telling me about the hits on the three firewalls I
manage, I can't imagine how pissed I would get if each probe generated a
seperate email. I have recently seen a big spike in the number of port
111 probes as well as the usual ftp stuff. Seems like the telnet probes
have reduced over hte last few months aalthough I got one today. Maybe
the word is getting out that using telnet is a bad idea and the return
of cpu cycle investment is not paying off for the script kiddies.
I don't get too excited any more but it sure gets old dealing with this
crap. I will have to think about supporting legislation to throw the
bums under the jail that get caought doing this sort of stuff.
Here is an idea taht may be out there already. A system that will
recieve emails of logs in a specific format like those from port sentry
for instance and that then tracks machines that are hitting multiple
targets. These could then be turned over to the authorities enmasse and
perhaps provide additional ammunition to go after the big time
offenders.
Aggregating these logs should all but eliminate the occasional
misdirected connection attempts. wouldn't it? Perhaps the spoofing of
these scans would render this type of aggregation useless but I would be
willing to contribute my logs to such an attempt. We could call it the
distributed anti hacker network or something like that.
Just a thought.
Bret
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
