Email address obfuscation in effect -- please
click here to turn it off.
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
> > These are both trojans. We block these ports at the MOREnet link at
> > UMC. IIRC, one is Sub7 and the other is NetBus.
>
> You have a good strategy there. Here's my question: Why am
> I suddenly
> getting so many attempts on these ports. I mean, things have
> gone totally
> nuts in the last week. Here are the numbers:
>
> Oct 5 - Jun 4: 173 attempts on port 27374
> Jun 5 - now: 296 attempts on port 27374
>
>
> Oct 5 - Jun 4: 10 attempts on port 12345
> Jun 5 - now: 287 attempts on port 12345
>
>
> You see the problem. The rate of attacks on port 12345 has
> increased by a
> factor of approximately 1,100 times in the past week over the
> preceeding
> 8-month baseline. I think it means that something has really
> gone haywire
> out there!
I hate to say this, but...
<shrug> Who knows why they're increasing. It happens every now and then that a new bunch of script kiddies gets their hands on some k-r4d t00lz and starts screwing around with them. You might want to try to keep a log of the source IP's in the scanning attempts. Run them through a Perl script to look for the ones that show up over and over. Contact their ISP's at the EMAIL:PROTECTED address and see if they'll help you out.
AND... set up iptables rules to drop and log traffic to these ports, of course. :-)
But judging by what I see on intrusions-l, rashes of different scans appear from time to time. It's usually more of a localized social quirk than a widespread problem. (usually...)
--J
--
To unsubscribe, go to http://mlug.missouri.edu/members/edit.php
Archives are available at http://mlug.missouri.edu/list-archives/
Home | FAQ | Server | Presentations | Mailing Lists/Archives | Member Tools | Links | Sponsors | Contact