Hi everyone I just wanted to bring up something weird I saw last night. I have a dsl line and a computer running windows at my house. Besides getting the usual scans for ftp, dns, and RPC I also got scanned for port 109 which I think is pop-2. Another weird thing (the zonealarm warnings are at the bottom) was that besides getting scanned for all 4 (the packets are two seconds apart so it is probably automated) the initial packets were sent with the SF bit set. I have not seen that in the past from worms or tools. Also I went to port 80 and the site was not defaced. Another thing; when I get scanned I also scan the system from 1-1024 to see what it is running. A lot of times I find a web server and sometimes I have been able to find e-mail addys on the site and have mailed them and let them know there system was actively probing the internet and probably was compromised (I know it could be the hacker reading and responding but at least I make an attempt. One disgruntling response was when I told a Korean E-Commerce company that their had server scanned me and that if they running a default install of a linux system with no patches they were probably compromised and they replied that they wouldn't be surprised if they were and this wouldn't be the first time. Um, sure you can have my credit card info). Anyway when I scanned this system it immediately scanned me back and the same 4 ports (21, 53, 109, 11) this time with the syn bit set. I scanned it again it scanned me back (both times the machine scanned me back the packets all arrived 2 seconds of each other so probably some automated defense or something?) Anyway I just wanted to see what list thought. The machine is still online running every service under the sun as I write this. Leon 210.119.103.190 The firewall has blocked Internet access to your computer (TCP Port 109) from 210.119.103.190 (TCP Port 109) [TCP Flags: SF]. Time: 4/25/2001 23:29:36 The firewall has blocked Internet access to your computer (FTP) from 210.119.103.190 (FTP) [TCP Flags: SF]. Time: 4/25/2001 23:29:38 The firewall has blocked Internet access to your computer (TCP Port 111) from 210.119.103.190 (TCP Port 111) [TCP Flags: SF]. Time: 4/25/2001 23:29:56 The firewall has blocked Internet access to your computer (DNS) from 210.119.103.190 (DNS) [TCP Flags: SF]. Time: 4/25/2001 23:30:02 The firewall has blocked Internet access to your computer (FTP) from sky.skytech.co.kr (210.119.103.190) (TCP Port 22673) [TCP Flags: S]. Time: 4/25/2001 23:46:08 The firewall has blocked Internet access to your computer (DNS) from sky.skytech.co.kr (210.119.103.190) (TCP Port 22674) [TCP Flags: S]. Time: 4/25/2001 23:46:08 The firewall has blocked Internet access to your computer (TCP Port 109) from sky.skytech.co.kr (210.119.103.190) (TCP Port 22677) [TCP Flags: S]. Time: 4/25/2001 23:46:10 The firewall has blocked Internet access to your computer (TCP Port 111) from sky.skytech.co.kr (210.119.103.190) (TCP Port 22678) [TCP Flags: S]. Time: 4/25/2001 23:46:10
This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 07:55:12 PDT