Subject: Re: Anyone Else Getting Hits Like This ?
From: FeLoNiouS MoNK (codered@gci.net)
Date: Sat Mar 02 2002 - 08:04:10 AKST
i also run portsentry .. i only run the -stcp <stealth tcp> attribute
though.. what this does is sets up a trip wire so that when some scans your
box and hits certain ports <you can set up and change these ports if you
want> then it AUTOMATICALLY adds thier ip address to /etc/hosts.deny and
when it adds them it does all:ip.address.here .. so its a general block. i
really like it.. only problem is if you are runnin a hardware firewall ..
you would want to check to see witch ports you set up as the trip wire so
you can open those ports up too on your router or whatever .... anywayz ..
heres a warning for all on alaska.net/ak.net. day before yesterday there
were some guys scanning my subnet <ak.net> looking for people running
WU-FTP... we all know all ver's have major MAJOR vuln.'s but for some people
who are just starting out . heed the warning.. if you have it running, stop
it and remove it.. laterz....
-oh and btw, im supposed to be getting briefed this weekend on some new
exploits out there that havnt gone mainstream yet... if i find the time to
hook up wit the guys .. i will pass the info on to this lug..
---First rule of AKLuG, what i say in the lug..stays in the lug!--- ps -aux
| grep FeLoN_MoNK > crazy.txt
----- Original Message -----
From: "Mark Weisman" <mweisman@gci.net>
To: <aklug@aklug.org>
Sent: Saturday, March 02, 2002 1:45 AM
Subject: RE: Anyone Else Getting Hits Like This ?
>
> As far as the logging goes, I'm not the one to ask. But if you're
> nervous about problems, the two products that I installed on mine was
> "portsentry" and "hostsentry". Fairly simplistic installs, and although
> may offer more logging than just letting a request for an .exe file
> bounce around your box for a while.
>
> Thank you,
> Mark-Nathaniel Weisman MCP, CNA, A+, MOUS MI
> Network Systems Administrator
> Career Academy MIS Department
> Anchorage, AK
>
> -----Original Message-----
> From: aklug-bounce@aklug.org [mailto:aklug-bounce@aklug.org] On Behalf
> Of Jon
> Sent: Friday, March 01, 2002 8:43 PM
> To: W.D.McKinney
> Cc: aklug@aklug.org
> Subject: Re: Anyone Else Getting Hits Like This ?
>
>
>
> I'm getting that also, is there a way to block it?
>
> Jon
>
> On Wed, 2002-02-27 at 18:14, W.D.McKinney wrote:
> >
> > Yes, just wondering how prolific it is still :-)
> >
> > "Jason C. Neumann" <lister@geekvenue.net> wrote:
> > >
> > > My site's logging quite a few. I believe it's our good 'ol friend
> > > nimda or similar.
> > >
> > > -Jason
> > >
> > > > 209.34.27.7 - - [27/Feb/2002:08:31:47 -0900] "GET
> > > > /scripts/root.exe?/c+dir
> > > HTTP/1.0" 404 278
> > > > 209.34.27.7 - - [27/Feb/2002:08:31:48 -0900] "GET
> > > > /MSADC/root.exe?/c+dir
> > > HTTP/1.0" 404 276
> > > > 209.34.27.7 - - [27/Feb/2002:08:31:50 -0900] "GET
> > > /c/winnt/system32/cmd.exe?/c+dir HTTP/1.0" 404 286
> > > > 209.34.27.7 - - [27/Feb/2002:08:31:51 -0900] "GET
> > > /d/winnt/system32/cmd.exe?/c+dir HTTP/1.0"
> > >
> >
> >
> > --
> > W.D.McKinney (Dee)
> > (907)349-4308 (Office)
> > (907)349-2226 (Fax)
> > http://3519098920
> >
> >
> >
>
>
>
>
>
>
>
>
>
This archive was generated by hypermail 2a23 : Sat Mar 02 2002 - 08:03:42 AKST