[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] Unusual scans

Subject: [ale] Unusual scans
From: jasonday at worldnet.att.net (Jason Day)
Date: Fri, 22 Aug 2003 10:44:50 -0400

On Fri, Aug 22, 2003 at 09:35:07AM -0400, Jonathan Rickman wrote:
> On Thursday 21 August 2003 17:18, Jason Day wrote:
> > I'm seeing a lot of port scans today and yesterday to port 1 on my
> > firewall box.  Anybody know what this might be?  What service binds to
> > port 1?
> 
> How are you detecting them? Do you have a packet capture?

I'm using portsentry and ipchains.  Sorry, no packet capture.  Here's a
sample log entry:

Aug 21 19:25:34 spiderman portsentry[344]: attackalert: TCP SYN/Normal
 scan from host: 24.92.223.189/24.92.223.189 to TCP port: 1
Aug 21 19:25:34 spiderman portsentry[344]: attackalert: Host
 24.92.223.189 has been blocked via wrappers with string: "ALL:
 24.92.223.189 : DENY"
Aug 21 19:25:34 spiderman portsentry[344]: attackalert: Host
 24.92.223.189 has been blocked via dropped route using command:
 "/sbin/ipchains -I input -s 24.92.223.189 -j REJECT"

Note that when I say "a lot", I mean like 10 in a day.  I'm just on a
cable modem, and I'm fortunate enough to apparently only get the
standard script kiddie scans.  But 10 scans to port 1 is unusual enough
that I thought I'd ask around.

Haven't seen any today, though...
-- 
Jason Day                                       jasonday at
http://jasonday.home.att.net                    worldnet dot att dot net
 
"Of course I'm paranoid, everyone is trying to kill me."
    -- Weyoun-6, Star Trek: Deep Space 9
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale

Prev by Date: [ale] Woohoo!!!
Next by Date: [ale] ALE-NW's meeting...
Previous by thread: [ale] Unusual scans
Next by thread: [ale] Unusual scans
Index(es):
- Date
- Thread