-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There was a '109 peak' on DShield.org too. I guess they are going after very old RedHat default installs that still have the bad pop-2 server setup by default (is it RH6.0? or even 5.x?. A note about the DShield data (and the peak): the traffic reported comes from 3 sources only so far (207.138.131.154, 203.232.4.4, 210.119.103.190). The reason that it shows up as such a big peak is that one of them hit a class B that submits to DShield (the first IP scanned 24556 hosts in that class B. Took about 20 minutes, which I guess is not bad, but definitly indicates an automated tool. I don't have anything but 109 scans from that source. - --- Johannes Ullrich Join http://www.dshield.org jullrichat_private GPG Key ID: AE692033 Key: http://johannes.homepc.org/pgp.htm - --- On Thu, 26 Apr 2001, Leon Rosenstein wrote: > Hi everyone I just wanted to bring up something weird I saw last night. > > I have a dsl line and a computer running windows at my house. Besides > getting the usual scans for ftp, dns, and RPC I also got scanned for port > 109 which I think is pop-2. Another weird thing (the zonealarm warnings are > at the bottom) was that besides getting scanned for all 4 (the packets are > two seconds apart so it is probably automated) the initial packets were sent > with the SF bit set. I have not seen that in the past from worms or tools. > Also I went to port 80 and the site was not defaced. Another thing; when I > get scanned I also scan the system from 1-1024 to see what it is running. A > lot of times I find a web server and sometimes I have been able to find > e-mail addys on the site and have mailed them and let them know there system > was actively probing the internet and probably was compromised (I know it > could be the hacker reading and responding but at least I make an attempt. > One disgruntling response was when I told a Korean E-Commerce company that > their had server scanned me and that if they running a default install of a > linux system with no patches they were probably compromised and they replied > that they wouldn't be surprised if they were and this wouldn't be the first > time. Um, sure you can have my credit card info). Anyway when I scanned > this system it immediately scanned me back and the same 4 ports (21, 53, > 109, 11) this time with the syn bit set. I scanned it again it scanned me > back (both times the machine scanned me back the packets all arrived 2 > seconds of each other so probably some automated defense or something?) > > Anyway I just wanted to see what list thought. The machine is still online > running every service under the sun as I write this. > > Leon > > 210.119.103.190 > > The firewall has blocked Internet access to your computer (TCP Port 109) > from 210.119.103.190 (TCP Port 109) [TCP Flags: SF]. > Time: 4/25/2001 23:29:36 > > The firewall has blocked Internet access to your computer (FTP) from > 210.119.103.190 (FTP) [TCP Flags: SF]. > Time: 4/25/2001 23:29:38 > > The firewall has blocked Internet access to your computer (TCP Port 111) > from 210.119.103.190 (TCP Port 111) [TCP Flags: SF]. > Time: 4/25/2001 23:29:56 > > The firewall has blocked Internet access to your computer (DNS) from > 210.119.103.190 (DNS) [TCP Flags: SF]. > Time: 4/25/2001 23:30:02 > > The firewall has blocked Internet access to your computer (FTP) from > sky.skytech.co.kr (210.119.103.190) (TCP Port 22673) [TCP Flags: S]. > Time: 4/25/2001 23:46:08 > > The firewall has blocked Internet access to your computer (DNS) from > sky.skytech.co.kr (210.119.103.190) (TCP Port 22674) [TCP Flags: S]. > Time: 4/25/2001 23:46:08 > > The firewall has blocked Internet access to your computer (TCP Port 109) > from sky.skytech.co.kr (210.119.103.190) (TCP Port 22677) [TCP Flags: S]. > Time: 4/25/2001 23:46:10 > > The firewall has blocked Internet access to your computer (TCP Port 111) > from sky.skytech.co.kr (210.119.103.190) (TCP Port 22678) [TCP Flags: S]. > Time: 4/25/2001 23:46:10 > -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 iQA/AwUBOug2+lTiIsyuaSAzEQK8LwCdF+9hHz16pNZsFrIGHaltWGi+b3sAnRq+ b/Nox+GR9j3rSGIgRz4NSO1Z =JUaa -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 09:08:01 PDT