It's always possible that this is not a portscan; the remote users may have misconfigured something or have been given a bad IP address. (Ie., someone may have put your address into a file swap database or something similar.) Anyway, John B. has a point that sometimes you can just ignore this kind of problem.
Regards, Dustin > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Behalf Of john beamon > Sent: Tuesday, November 06, 2001 8:34 AM > To: [EMAIL PROTECTED] > Subject: Re: [brluglist] Sombody at my front door. > > > portmap is a service associated with NFS, and I *think* a few RPC calls. > It's a necessary element in NFS, though. This looks like some sort of bot > or script that's been left running in the background until you screw up > and turn this service on. I can recommend a couple things. You might > want to add a black hole route for this guy, saying that the path to his > box is through 127.0.0.1. You might want to start a little scripting > project to remove lines containing "blah", listed in a conf file > somewhere, from your logs on a periodic basis. I have a set of tools for > removing all the "C:\...\winnt\" requests from my web server logs, > courtesy of CR and nimbda. It'd be neat to expand that to something like > a conf_file loaded into a Perl hash, then export each line that doesn't > match anything in the hash to a tmp file, then copy the tmp file back to > the original. I don't really "do" Perl yet, but I'm a little familiar > with the vocab. > > Any request blocked by an ipchains firewall, which is "doing its job", > goes to logs. The idea is not to prevent logging, but to prune it and > acclimate it once a harmless but persisten intruder has been identified. > If someone spends a week scanning a port I don't have open, I figure > they've left it running the background and waiting for a reply. It likely > won't go away. I had a guy scan a particular port of mine several times a > minute for over three months. I eventually just started "grep -v" > removing his IP from my logs, but the firewall was doing its job. > > -- > -j > > On Mon, 5 Nov 2001, Byron Como wrote: > > > Date: Mon, 05 Nov 2001 23:42:31 -0600 > > From: Byron Como <[EMAIL PROTECTED]> > > Reply-To: [EMAIL PROTECTED] > > To: [EMAIL PROTECTED] > > Subject: [brluglist] Sombody at my front door. > > > > The attached text file has the ip addresses that are interesting. I > > personally don't think there is a problem because it seems like some > > kind of automated script kiddie attack that is mindlessly plodding > > along. Although my log files have rolled over, I did write down the name > > of the machine that appeared in an earlier logfile from which there were > > attempted connects: charcot.neurology.washington.edu. Anybody care to > > characterize what these logfile entries mean? > > > > ================================================ > BRLUG - The Baton Rouge Linux User Group > Visit http://www.brlug.net for more information. > Send email to [EMAIL PROTECTED] to change > your subscription information. > ================================================ > ================================================ BRLUG - The Baton Rouge Linux User Group Visit http://www.brlug.net for more information. Send email to [EMAIL PROTECTED] to change your subscription information. ================================================
