-   Linux - Security (
-   -   A scan Survey ?? (

raz 04-19-2001 10:44 AM

I was wondering what kind of scans other people on fixed IP's get per day from log files.

I have cut out all the scans from dubious sources over the last three days and resolved the company and location names.

My firewall is not a public website and I don't advertise it to anyone, yet I get quite a few different scans ranging from a simple ping the host to RPC portmapping checking.

Here's some interesting viewing 8-)
---- 16/04/01 ----
( Edmonton Community Network libary in Edmonton, Alberta
"ICMP request"

( Middlebury College, Middlebury, Vermont
"ICMP request"

( Middlebury College, Middlebury, Vermont
"Tried to view website port"

( Korean Operations Research and Management Science Society; Seoul
"Tried to find DNS port"

( Exodus Communications Inc.SantaClara-8
"Tried to find DNS port"

( Universidad de Oviedo; Spain
"tried to find FTP port"

---- 18/04/01----
( "lucent Technologies in China or korea"
"RPC services scan"

( "Fatih University in Turkey"
"Scanned for DNS port"

( UCL london Uni eng/IT
"ICMP request"

( "T + S Datentechnik Freudenstadt Germany"
"Scanning for FTP port from DNS port"

( ?? some Korea site
"Scanned for portmapper services from high port 1023<"

( "Fusion Technology Group on the Wing.Net network"
"scanned for portmapper RPC from portmapper RPC port"

( "Hewlett-Packard Company"
"Icmp request"

( ASUK service ISP
"scanned for portmapper RPC from portmapper RPC port"
"system broken into at 2am 18th, ISP has shut it down now"

( "Korea Telecom ISP, Nanum infomration tech"
"scanned for FTP port"
"scanned for RPC mapper from RPC mapper"

Anyone else get the same kind of scans or am I just a kiddy script magnet. ?


greatgatsby26 04-30-2001 03:42 PM

more log info
hey i saw you make some comment about enhancing the logging features. well i have telnet shutdown but i run ssh. i use portsentry/iptables for my firewall on mandrake 8 and i am pretty new to this linux stuff. it really doesn't give me much info in that /var/log/messages. how do i make that more descriptive? thanks

also what is a stealth port scan and what can they do with it?

raz 05-02-2001 03:32 AM

Unfortunately you won't get this much info in your log with a simple change to a config file.

You'll have to write an IDS "intrusion detection system" to do reverse lookups on the info that is logged in the message file".

The one I wrote is in Perl and shell scripts.

A stealth scan is where someone does a half-open scan on your ports.

In simple terms a normal TCP connection has a 3 way hand shake, a stealth scan closed the connection before a handshake is confirmed thus causing some detection systems not to log it. "Most new systems now log stealth scans"

The better method is a very very slow scan using normal TCP connections.
Or a massive scan with thousands of decoy addresses added. "this is what got the US navy into thinking they were under attack from multipliable organised hackers around the world, a few years back"


All times are GMT -5. The time now is 09:17 PM.