On Monday 28 October 2002 11:59 pm, Jean Christophe ANDRÉ wrote: > Tom Cook écrivait : > > What the.... > > What's wrong with 'lsof -i :111' and 'lsof -i :16001'? > > Nothing wrong with it! :) > > > It tells you precisely what's attempting to connect... > > Yes, except in his case there is no connection since there is no installed > daemon on this port, only some connection attempts he is trying to track. > > So my solution is just to provide a mini-daemon allowing connecting and so > tracking. Use netstat or lsof in /root/spy.sh as you want. I just use to > use netstat so I gave an example with netstat, but you can use lsof instead > off course! :) > > Cheers, J.C.
way overkill. 16001 isn't being scanned and 111 is the most common target after 25. you're suggesting that the guy turn his server into a honeypot--to what end? disable portmap and nothing can get at 111. there's a difference between simply securing a box and assuming a role as cyber-detective. the former solves the problem, the latter has no end. ben
