could you please send me your addbad script, I think something like that
would be quite useful:) I was compromised a while ago by rpc.statd too..
thanks...
On Mon, 22 Jan 2001, Michael H. Warfield wrote:
> On Mon, Jan 22, 2001 at 08:24:36AM -0600, Dave Ihnat wrote:
> > On Mon, Jan 22, 2001 at 08:13:50AM -0500, Burke, Thomas G. wrote:
> > > I've been noticing a _lot_ of scans against ports 21 & 111 in the last
> > > couple of weeks. Do ya think this might be the result of the ramen worm?
>
> > Those are standard ports for scans--yah, the frequency just went
> > up a bit, so I figure somebody in the cracker warrens must have
> > just posted or written an article about "common ports" or somesuch.
> > Upswing in 21,23,111,515, with a smattering of others thrown in, and
> > the ever-present 137 and 139. No consistent source to the probes,
> > and not enough additional probes to raise alarm.
>
> Ports 21 and 111 are characteristic of Ramen, which is a self
> propagating worm attacking RedHat 6.2 and 7.0 systems. Some sites
> are detecting floods of port 21 Syn requests as a result of infected
> systems.
>
> > Have fun with it. I have my box set up to notify me on-line when
> > I'm logged in. Then, if it's a series--you know, they poke at
> > 137,139,21,23,25, 110,111, etc. in some order from the same place--
> > before I run my 'addbad' script to block everything from their IP address,
> > I poke back at ports on their IP address with the same port order.
>
> Be extremely cautious about doing that! The "ramen worm" is
> certainly the cause for the increase in port 21 and 111 probes and
> your counterprobe will have no influence on it, but there are other
> scans going on out there that are different. If you counterprobe
> a system back, you have just tipped of the scanner that 1) there is
> a valid system at this address of interest and 2) that system is
> running some sort of detections and countermeasures (making even more
> interesting). That's often enough for one of these automated parallel
> scanners to flag your address and log it as something interesting for
> deeper, more personal investigation by the attacker himself.
>
> In other words... Even by merely probing a system back that is
> scanning your ports, you may end up getting some unwanted attention from
> someone whom you would just as soon not know you even exist. Then you
> have a problem.
>
> My systems detect port scanning and simply shut down the firewall
> to the scanner. My entire /19 address space goes dark and the automated
> scanner leaves with the conclusion that there is nothing there. It
> finds nothing to log and wanders on into the night. :-)
>
> Food for thought.
>
> > Their IP address usually suddenly disappears from the 'Net after the
> > 2nd or third reverse port probe.
>
> > Cheers,
> > --
> > Dave Ihnat
> > [EMAIL PROTECTED]
>
> Mike
>
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
