Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hey I go this from my apache log. I am not sure what this is, but its a broadband connection that has open and unfilterd ports. My static Ip has no domain name so he must have found my personal testing server with a port scan. What should I do (evil grin)
Distribution: FreeBSD,Debian, RH, ok well most of em...
Posts: 238
Rep:
doncha love Microsoft IIS scans on an Apache box
I personally like to increase my hands on education by getting to know some of the errant systems that make silly scans like this. Not advocating a hack attempt, just saying you may need to educate yourself at the expense of the offending system.
Everyone that runs a public webserver (including myself) collects logs full of this crap. I don't think these are actually active
script-kiddie attacks, just zombie PCs with no human interaction hammering
away at whatever box they can find.
clearly trying to exploit a windows box. Seems to me any script kiddie that
isn't a *total* idiot will be able to figure out quite easily the OS of his
target, which leads me to believe that it is a zombie PC launching these
"attacks".
The upshot of this is that you can spend 12 hours a day manually tracking down and blocking IP
addresses, and all you really accomplish is blocking an IP, or block of IPs
used by some fool that doesn't know his wintendo box is full of viruses.
My advice: just ignore, and be thankful you run Linux. If you want to sort all
this cruft out of your logs just do something like:
Who ever this is their not smart leaving all these ports open.
Host (202.25.234.188) appears to be up ... good.
Initiating SYN Stealth Scan against (202.25.234.188)
Adding open port 6666/tcp
Adding open port 1025/tcp
Adding open port 21/tcp
Adding open port 49400/tcp
Adding open port 7007/tcp
Adding open port 443/tcp
Adding open port 80/tcp
Adding open port 6667/tcp
Adding open port 6668/tcp
Adding open port 2301/tcp
Adding open port 1026/tcp
The SYN Stealth Scan took 21 seconds to scan 1601 ports.
For OSScan assuming that port 21 is open and port 1 is closed and neither are firewalled
Interesting ports on (202.25.234.188):
(The 1583 ports scanned but not shown below are in state: closed)
Port State Service
21/tcp open ftp
25/tcp filtered smtp
80/tcp open http
135/tcp filtered loc-srv
139/tcp filtered netbios-ssn
443/tcp open https
445/tcp filtered microsoft-ds
593/tcp filtered http-rpc-epmap
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1720/tcp filtered H.323/Q.931
2301/tcp open compaqdiag
4444/tcp filtered krb524
6666/tcp open irc-serv
6667/tcp open irc
6668/tcp open irc
7007/tcp open afs3-bos
49400/tcp open compaqdiag
Remote operating system guess: Windows XP Professional RC1+ through final release
TCP Sequence Prediction: Class=random positive increments
Difficulty=9223 (Worthy challenge)
IPID Sequence Generation: Incremental
Nmap run completed -- 1 IP address (1 host up) scanned in 27 seconds
Distribution: FreeBSD,Debian, RH, ok well most of em...
Posts: 238
Rep:
and now you know why they are scanning you. They were owned a long time ago and as bulliver said, he's now a hapless drone.
I too see these in my logs and used to make the effort when I was bored to try to contact the server owner.....thats a lot of work for little to no value IMHO. Just make sure you are patched and ignore it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.