Re: When not to log
From: Joe (joe@jretrading.com)Date: 05/10/02
- Next message: Tim Haynes: "Re: When not to log"
- Previous message: Luke Vogel: "Re: Panic! Who is vcsa?"
- In reply to: Tim Haynes: "Re: When not to log"
- Next in thread: Tim Haynes: "Re: When not to log"
- Reply: Tim Haynes: "Re: When not to log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Joe <joe@jretrading.com> Date: Fri, 10 May 2002 22:44:08 +0100
In article <86pu03ixa8.fsf@potato.vegetable.org.uk>, Tim Haynes
<usenet@stirfried.vegetable.org.uk> writes
>Joe <joe@jretrading.com> writes:
>
>> >Agreed; as stated it's highly unlikely that merely surfin' the web would
>> >attract scans.
>>
>> <snip>
>>
>> Maybe not scans, but almost all of the attempted contacts I get seem to
>> occur within a second or so of accessing a new website. Maybe it's
>> coincidence. I dial up for a total of perhaps half an hour a day, and
>> never get any probes during the 5-20 minutes of collecting mail and news,
>> which is all I do most days.
>
>In that case, see what I said about dynamic IP#s.
Demon. Static IP for over 5 years.
>
>> I've never been scanned as such, but nearly all of the probes are for
>> web, telnet, ssh, portmapper and netbeui.
>
>Netbeui??? That's a new one. So new, I'll assume you mean netbios...
It's a Windows thing. Netbios Extended User Interface. Not routable
until run over TCP/IP. Never intended for anything other than local
networking.
>
>> Mostly the usual suspects, with some nntp and the occasional ntp. Now and
>> then one I have to look up. Oddly, very few smtp, imap or pop. Usually in
>> threes, and, as I say, nearly all immediately after contacting a website
>> for the first time. Not dodgy ones, either, mostly links from Google to
>> hardware or software sites.
>
>Why not run the logs through fwlogwatch so you can at least categorise
>per-IP per-port per-flag-combination?
I'm currently using Win9*/personal fw on the Net. It only logs s & d IP,
port and hostname where discoverable.
>
>Hint: if you're getting resets back from someone's port 80, it's 99% likely
>you're looking for a webserver where there isn't one.
Connection from unprivileged to my 80?
>
>Hint2: if you're getting SYN packets in triplets then it's other people
>running a connect() call against you. If you get them in ones, you're being
>scanned for a particular service open.
Mostly threes.
>
>Hint3: if you get ICMP 8/0 pings, either you're being pinged and/or you're
>blocking PMTU attempts.
I'm not returning pings but am replying to some ICMP/IGMP.
>
>Hint4: if you dialup with dynamic IP, you can safely expect to get a pile
>of crap at the start of your connection related to things the previous
>incumbent of the IP# was doing. Stick around longer - at least half an hour
>or more - and watch them drop off.
You didn't read it, did you? Half an hour getting mail/news: nothing.
Connect to a web server 5 minutes later and an immediate (less than 5
seconds) attempt at e.g. nntp access follows. But it's a static IP
anyway.
I'm not worried about it, I just thought I'd throw it into a
conversation where any possible connection between browsing and probes
received was being denied. I'm certain there's some link a lot of the
time. Is it impossible for a compromised web server to pass client IPs
back to its owner? Would this not be a good way for a cracker to harvest
active, on-line IPs?
-- Joe
- Next message: Tim Haynes: "Re: When not to log"
- Previous message: Luke Vogel: "Re: Panic! Who is vcsa?"
- In reply to: Tim Haynes: "Re: When not to log"
- Next in thread: Tim Haynes: "Re: When not to log"
- Reply: Tim Haynes: "Re: When not to log"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
