This looks like someone is walking the portmapper chain to see what services they can and cannot set, though. I just dealt with this at the hospital not too long ago. Some of the early NT4 stuff exploited portmapper stuff. You'd be amazed what you can find out from the portmapper. When you get a callit() function to just about any function, that's the one to be worried about.
--JMS On Tue, 2001-11-06 at 08:58, Dustin Puryear wrote: > It's always possible that this is not a portscan; the remote users may have > misconfigured something or have been given a bad IP address. (Ie., someone > may have put your address into a file swap database or something similar.) > Anyway, John B. has a point that sometimes you can just ignore this kind of > problem. > > Regards, Dustin > > > -----Original Message----- > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > > Behalf Of john beamon > > Sent: Tuesday, November 06, 2001 8:34 AM > > To: [EMAIL PROTECTED] > > Subject: Re: [brluglist] Sombody at my front door. > > > > > > portmap is a service associated with NFS, and I *think* a few RPC calls. > > It's a necessary element in NFS, though. This looks like some sort of bot > > or script that's been left running in the background until you screw up > > and turn this service on. I can recommend a couple things. You might > > want to add a black hole route for this guy, saying that the path to his > > box is through 127.0.0.1. You might want to start a little scripting > > project to remove lines containing "blah", listed in a conf file > > somewhere, from your logs on a periodic basis. I have a set of tools for > > removing all the "C:\...\winnt\" requests from my web server logs, > > courtesy of CR and nimbda. It'd be neat to expand that to something like > > a conf_file loaded into a Perl hash, then export each line that doesn't > > match anything in the hash to a tmp file, then copy the tmp file back to > > the original. I don't really "do" Perl yet, but I'm a little familiar > > with the vocab. > > > > Any request blocked by an ipchains firewall, which is "doing its job", > > goes to logs. The idea is not to prevent logging, but to prune it and > > acclimate it once a harmless but persisten intruder has been identified. > > If someone spends a week scanning a port I don't have open, I figure > > they've left it running the background and waiting for a reply. It likely > > won't go away. I had a guy scan a particular port of mine several times a > > minute for over three months. I eventually just started "grep -v" > > removing his IP from my logs, but the firewall was doing its job. > > > > -- > > -j > > > > On Mon, 5 Nov 2001, Byron Como wrote: > > > > > Date: Mon, 05 Nov 2001 23:42:31 -0600 > > > From: Byron Como <[EMAIL PROTECTED]> > > > Reply-To: [EMAIL PROTECTED] > > > To: [EMAIL PROTECTED] > > > Subject: [brluglist] Sombody at my front door. > > > > > > The attached text file has the ip addresses that are interesting. I > > > personally don't think there is a problem because it seems like some > > > kind of automated script kiddie attack that is mindlessly plodding > > > along. Although my log files have rolled over, I did write down the name > > > of the machine that appeared in an earlier logfile from which there were > > > attempted connects: charcot.neurology.washington.edu. Anybody care to > > > characterize what these logfile entries mean? > > > > > > > ================================================ > > BRLUG - The Baton Rouge Linux User Group > > Visit http://www.brlug.net for more information. > > Send email to [EMAIL PROTECTED] to change > > your subscription information. > > ================================================ > > > > ================================================ > BRLUG - The Baton Rouge Linux User Group > Visit http://www.brlug.net for more information. > Send email to [EMAIL PROTECTED] to change > your subscription information. > ================================================ ================================================ BRLUG - The Baton Rouge Linux User Group Visit http://www.brlug.net for more information. Send email to [EMAIL PROTECTED] to change your subscription information. ================================================
