> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Aaron C. Springer
> Sent: Thursday, February 17, 2000 8:49 PM
> To: Michael E. Cummins
> Cc: Firewalls Mailing List
> Subject: RE: Someone is scanning me right now
>
>
> What is the difference between him scanning you and you..
>
> ; out of
> > curiosity, I tried connecting to this IP on 21; 80; 119; etc.
> just to see if
> > I would get any return info
>
>
> acs
*grin*
Well, for one thing.. I was looking for information on the darkly-garbed
virtual fellow who was sniffing around outside my front door. He was
looking to see if I had been infected with the NetBus Pro or Backdoor G-1
trojans. This is an assumption, my logs read:
INBOUND TCP CONNECTION 2/17/00 18:12:28.233
Local Address: Service is xxx.xxx.xxx.xxx, Backdoor-g-1
Remote Address: 195.158.132.218,1103
There were numerous attempts in a minute or two, with each attempt
identifying itself as either Backdoor-g-1 or NetBus-Pro.
I was a little startled as this is my *home* computer, which connects to the
internet via Dynamic IP 56k dialup.
Most likely he was some kind of script kiddie in Germany who was up late
trying out his latest warez scanner.
For all I know it may have been some altruistic individual looking for
people who were vulnerable.
This may sound absurd, but 2 years ago I was a local WAN administrator in
Northern California. It wasn't much of a WAN, it probably barely qualified.
Three small peer to peer networks about 75 miles apart from each other with
remote desktops on the other LAN's. One of the LAN's was responsible for
accounting. One day, the sysadmin of this particular LAN received an
e-mail from a "Security Firm" in Norway that had discovered he was infected
with BO. They demonstrated his vulnerability by describing all of the
shares on his network, locations of some of his more important files, and
hell.. They sent him mail in the first place!
Now, I don't know about you, but things like that make me very nervous. I
could care less about the intentions of the intruder, and I have no way to
measure them regardless. Last night someone was sniffing at my front door.
But.. Like one fellow earlier remarked, "So What?"
If I had a static IP and was running a webserver, I would probably be
getting multiple scans each day. What "is" the appropriate response?
Should I pop off a short e-mail to the assumed provider and forget about it?
Should I take any action at all? Should I just assume that being connected
to the Internet involves attention like this and quietly buckle down as best
I can? What do *you* do?
I fired off a *very* short note to the related provider that informed him
what my logs revealed and now it is over. Maybe they could care less. I'm
just happy that my firewall worked.
Michael E. Cummins
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
