Neil Schneider wrote:
..
nmap profile, in case this means anything to anybody is
..
It could be a zombie machine. If it is then it's not the owner that's
attacking us, but someone else that "owns" that machine. The exploits
on those filtered ports is the reason why most of them are now blocked
on most cable and dsl networks. I would speculate those open ports are
signal ports for controlling the zombie.I find it interesting that
rsync(873) and nessusd (3001) are open and many of the other filtered
ports have had a history exploits against tham. It might be something
in the way a firewall is configured.
Makes sense.
In any case, that same IP is still poking us. Has been every few seconds
for (at least) a couple of days now.
A quick look revealed another at 61.135.145.207, also cn, it seems.
Q: does it do any good to blacklist such obvious bot-attacks?
Q: are we/should we be extracting info from the error logs? At least the
IPs? The error log config says: keep=20;copy to event log=yes;ignored
exceptions=Unauthorized,NotFound,Redirect. What becomes of the
/var/lib/zope/log/event.log* files? Could they be a little big? could we
be mining them?
..jim
persPS:
Welcome back Neil -- Hope all went satisfactorily with your "housework".
..j
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-steer
