LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   A scan Survey ?? (https://www.linuxquestions.org/questions/linux-security-4/a-scan-survey-1947/)

raz 04-19-2001 10:44 AM

People...
I was wondering what kind of scans other people on fixed IP's get per day from log files.

I have cut out all the scans from dubious sources over the last three days and resolved the company and location names.

My firewall is not a public website and I don't advertise it to anyone, yet I get quite a few different scans ranging from a simple ping the host to RPC portmapping checking.

Here's some interesting viewing 8-)
---- 16/04/01 ----
(fn2.freenet.edmonton.ab.ca) Edmonton Community Network libary in Edmonton, Alberta
"ICMP request"

(goldencat.middlebury.edu) Middlebury College, Middlebury, Vermont
"ICMP request"

(goldencat.middlebury.edu) Middlebury College, Middlebury, Vermont
"Tried to view website port"

----17/04/01----
(203.247.218.1)The Korean Operations Research and Management Science Society; Seoul
"Tried to find DNS port"

(66.35.227.99) Exodus Communications Inc.SantaClara-8
"Tried to find DNS port"

(plp05.edv.uniovi.es) Universidad de Oviedo; Spain
"tried to find FTP port"

---- 18/04/01----
(211.237.86.173) "lucent Technologies in China or korea"
"RPC services scan"

(cengunix.ceng.fatih.edu.tr) "Fatih University in Turkey"
"Scanned for DNS port"

(wwws-a.ucl.ac.uk) UCL london Uni eng/IT
"ICMP request"

(dns1.tsfds.de) "T + S Datentechnik Freudenstadt Germany"
"Scanning for FTP port from DNS port"

(seosane.es.kr) ?? some Korea site
"Scanned for portmapper services from high port 1023<"

(ns01.ftghome.com) "Fusion Technology Group on the Wing.Net network"
"scanned for portmapper RPC from portmapper RPC port"

(hpma901.external.hp.com) "Hewlett-Packard Company"
"Icmp request"

(hsi5.asuk.net) ASUK service ISP
"scanned for portmapper RPC from portmapper RPC port"
"system broken into at 2am 18th, ISP has shut it down now"

(203.232.4.4) "Korea Telecom ISP, Nanum infomration tech"
"scanned for FTP port"
"scanned for RPC mapper from RPC mapper"

Anyone else get the same kind of scans or am I just a kiddy script magnet. ?

Cheers,
/Raz

greatgatsby26 04-30-2001 03:42 PM

more log info
 
hey i saw you make some comment about enhancing the logging features. well i have telnet shutdown but i run ssh. i use portsentry/iptables for my firewall on mandrake 8 and i am pretty new to this linux stuff. it really doesn't give me much info in that /var/log/messages. how do i make that more descriptive? thanks

also what is a stealth port scan and what can they do with it?

raz 05-02-2001 03:32 AM

Unfortunately you won't get this much info in your log with a simple change to a config file.

You'll have to write an IDS "intrusion detection system" to do reverse lookups on the info that is logged in the message file".

The one I wrote is in Perl and shell scripts.

A stealth scan is where someone does a half-open scan on your ports.

In simple terms a normal TCP connection has a 3 way hand shake, a stealth scan closed the connection before a handshake is confirmed thus causing some detection systems not to log it. "Most new systems now log stealth scans"

The better method is a very very slow scan using normal TCP connections.
Or a massive scan with thousands of decoy addresses added. "this is what got the US navy into thinking they were under attack from multipliable organised hackers around the world, a few years back"

/Raz


All times are GMT -5. The time now is 09:17 PM.