LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-19-2001, 09:44 AM   #1
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Question


People...
I was wondering what kind of scans other people on fixed IP's get per day from log files.

I have cut out all the scans from dubious sources over the last three days and resolved the company and location names.

My firewall is not a public website and I don't advertise it to anyone, yet I get quite a few different scans ranging from a simple ping the host to RPC portmapping checking.

Here's some interesting viewing 8-)
---- 16/04/01 ----
(fn2.freenet.edmonton.ab.ca) Edmonton Community Network libary in Edmonton, Alberta
"ICMP request"

(goldencat.middlebury.edu) Middlebury College, Middlebury, Vermont
"ICMP request"

(goldencat.middlebury.edu) Middlebury College, Middlebury, Vermont
"Tried to view website port"

----17/04/01----
(203.247.218.1)The Korean Operations Research and Management Science Society; Seoul
"Tried to find DNS port"

(66.35.227.99) Exodus Communications Inc.SantaClara-8
"Tried to find DNS port"

(plp05.edv.uniovi.es) Universidad de Oviedo; Spain
"tried to find FTP port"

---- 18/04/01----
(211.237.86.173) "lucent Technologies in China or korea"
"RPC services scan"

(cengunix.ceng.fatih.edu.tr) "Fatih University in Turkey"
"Scanned for DNS port"

(wwws-a.ucl.ac.uk) UCL london Uni eng/IT
"ICMP request"

(dns1.tsfds.de) "T + S Datentechnik Freudenstadt Germany"
"Scanning for FTP port from DNS port"

(seosane.es.kr) ?? some Korea site
"Scanned for portmapper services from high port 1023<"

(ns01.ftghome.com) "Fusion Technology Group on the Wing.Net network"
"scanned for portmapper RPC from portmapper RPC port"

(hpma901.external.hp.com) "Hewlett-Packard Company"
"Icmp request"

(hsi5.asuk.net) ASUK service ISP
"scanned for portmapper RPC from portmapper RPC port"
"system broken into at 2am 18th, ISP has shut it down now"

(203.232.4.4) "Korea Telecom ISP, Nanum infomration tech"
"scanned for FTP port"
"scanned for RPC mapper from RPC mapper"

Anyone else get the same kind of scans or am I just a kiddy script magnet. ?

Cheers,
/Raz
 
Old 04-30-2001, 02:42 PM   #2
greatgatsby26
LQ Newbie
 
Registered: Apr 2001
Posts: 5

Rep: Reputation: 0
more log info

hey i saw you make some comment about enhancing the logging features. well i have telnet shutdown but i run ssh. i use portsentry/iptables for my firewall on mandrake 8 and i am pretty new to this linux stuff. it really doesn't give me much info in that /var/log/messages. how do i make that more descriptive? thanks

also what is a stealth port scan and what can they do with it?
 
Old 05-02-2001, 02:32 AM   #3
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Original Poster
Rep: Reputation: 31
Unfortunately you won't get this much info in your log with a simple change to a config file.

You'll have to write an IDS "intrusion detection system" to do reverse lookups on the info that is logged in the message file".

The one I wrote is in Perl and shell scripts.

A stealth scan is where someone does a half-open scan on your ports.

In simple terms a normal TCP connection has a 3 way hand shake, a stealth scan closed the connection before a handshake is confirmed thus causing some detection systems not to log it. "Most new systems now log stealth scans"

The better method is a very very slow scan using normal TCP connections.
Or a massive scan with thousands of decoy addresses added. "this is what got the US navy into thinking they were under attack from multipliable organised hackers around the world, a few years back"

/Raz
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
To SCAN or not to SCAN? HP750xi Suse 9.2 Pro newtwolinux Linux - Hardware 4 06-22-2005 04:02 PM
Gnome survey phatbastard Slackware 28 11-16-2004 11:11 PM
Mandrakeclub Survey Geneius Mandriva 10 04-18-2004 07:32 AM
help in conducting a survey tuxfood General 11 01-11-2004 07:22 PM
Survey, Please vote Drogo General 9 06-30-2003 03:32 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:26 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration