At 02:01 AM 7/19/00 , Mark Ivey <[EMAIL PROTECTED]> wrote:
>Hi,
>
>I keep seeing comments similar to "someone port-scanned my firewall today,
>and here is who they were..." and I was wondering how you manage to get
>this information (both the fact that someone scanned you, and then the
>info on the originating system). Thanks...
>
>-Mark-
I run portsentry (http://www.psionic.com), it makes a log entry when it
detects a scan. It can do more too like insert the attacking host in
/etc/hosts.deny, add a route to a dead-end for the attacking IP (so his
packets never return to him, you seem to drop off the face of the earth;
note the DOS implications if they spoof the attack from a friendly host),
alert you or take other action when the attack occurs, insert IP Chains
rules for the attacker, etc.
Step-by-step:
(1) When you get scanned, it creates an entry like below. If you were
using IP Chains or another product, you would get something similar (but
different, like IP Chains might show a DENY). If the attacker isn't shy,
they can create hundreds or thousands of such log messages.
Jul 16 23:07:08 conan portsentry[612]: attackalert: SYN/Normal scan from
host: pD4B89819.dip.t-dialin.net/212.184.152.25 to TCP port: 21
(2) Then you can do an nslookup on the IP address 212.184.152.25 (in this
case I don't need to because the DNS name is given as
pD4B89819.dip.t-dialin.net
(3) So t-dialin.net is the domain. Then I do a whois lookup on the host's
domain:
[root@conan log]# whois t-dialin.net
[whois.geektools.com]
Query: t-dialin.net
Registry: whois.networksolutions.com
Results:
Registrant:
Deutsche Telekom Online Service GmbH (T-DIALIN2-DOM)
Waldstrasse 3
Weiterstadt, Germany D-64331
DE
Domain Name: T-DIALIN.NET
Administrative Contact, Technical Contact, Zone Contact:
Kaufmann, Daniel (DK162-RIPE) [EMAIL PROTECTED]
Deutsche Telekom Online Service GmbH
Julius-Reiber-Str.37
Darmstadt
Germany
D-6429
DE
+49 61 51 680 537 (FAX) +49 61 51 680 519
Billing Contact:
Billing, Domain Name (DN54-RIPE) [EMAIL PROTECTED]
Deutsche Telekom AG, NIC
Gueterstr. 10a
Oldenburg
Germany
26122
DE
+49 441 234 4555 (FAX) +49 441 234 4559
Record last updated on 12-May-2000.
Record expires on 10-Feb-2001.
Record created on 10-Feb-1999.
Database last updated on 19-Jul-2000 05:42:33 EDT.
Domain servers in listed order:
DNS00.SDA.T-ONLINE.DE 195.145.119.62
DNS01.SDA.T-ONLINE.DE 195.145.119.189
DNS00.SUL.T-ONLINE.DE 194.25.2.123
DNS01.SUL.T-ONLINE.DE 194.25.2.124
Results brought to you by the GeekTools WHOIS Proxy v3.0
Server results may be copyrighted and are used with permission.
Your host (64.5.73.24) has visited 2 times today.
Courtesy of Chuck Mead, this is my /usr/bin/whois that accesses the
geektools whois server because they give more information. To use, RENAME
/usr/bin/whois to /usr/bin/whois2 and enter this little script:
[root@conan log]# more /usr/bin/whois
#/bin/sh
whois2 $[EMAIL PROTECTED]
(4) So a couple days ago a cracker (presumably) operating from a dialup in
Germany scanned my computer. I might contact the admin or tech contact
although usually they are either (1) well aware of the problem or (2) seem
to ignore me. Also, it's probably better not to use email but I'm not
about to call Germany over this. If the admin is interested, they
invariably need the logs with good timestamps to gather evidence. With
some big ISPs, you need to send these logs for them to even read your email.
-Alan
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
