Re: Port 12345?
On Tue, 28 Nov 2000 23:49:11 GMT, Pollywog writes: On Tue, 28 Nov 2000 23:08:43 +0100, Robert Waldner said: As soon as I figure out how to get portsentry to mail -s `$TARGET$ attempted bla` (I guess some 6 hours of sleep away ;-) ) I´ll be a convert from my homegrown script that I use for that currently. Logcheck will do that for you. No need for yet another piece of software, in portsentry.conf: KILL_RUN_CMD=/usr/bin/mail -s `connection attempt from $TARGET$` \ waldner rw -- / Ing. Robert Waldner | Network Engineer | T: +43 1 89933 F: x533 \ \ [EMAIL PROTECTED] |KPNQwest/AT | Diefenbachg. 35, A-1150 /
Re: Port 12345?
On Tue, 28 Nov 2000 00:51:09 +0100, Svante Signell writes: Anyone knows what port 12345TCP is used for and which OSes are vulnerable? 12345 is NetBus (according to www.snort.org), vulnerable is everything where NetBus runs ;-) eg WinEverything=95 portscans Note: I am on a dial-up connection. For you with fixed network access, how often do this happen, a few times a day? 10-15/week. cheers, rw -- / Ing. Robert Waldner | Network Engineer | T: +43 1 89933 F: x533 \ \ [EMAIL PROTECTED] |KPNQwest/AT | Diefenbachg. 35, A-1150 /
Re: Port 12345?
Robert == Robert Waldner [EMAIL PROTECTED] writes: On Tue, 28 Nov 2000 00:51:09 +0100, Svante Signell writes: Anyone knows what port 12345TCP is used for and which OSes are vulnerable? 12345 is NetBus (according to www.snort.org), vulnerable is everything where NetBus runs ;-) eg WinEverything=95 portscans Note: I am on a dial-up connection. For you with fixed network access, how often do this happen, a few times a day? 10-15/week. cheers, rw How can I tell when I am being portscanned? Is there an appropriate selection of Debian packages for this? =wl -- Albert ``Willy'' Lee, Emacs user, game programmer They call me CRAZY - just because I DARE to DREAM of a RACE of SUPERHUMAN MONSTERS!
Re: Port 12345?
On 28 Nov 2000 02:03:51 PST, Willy Lee writes: How can I tell when I am being portscanned? By looking at your log-files, I don´t have them at hand now, but if you see something like: ip fw-in deny bla your_ip:21 ip fw-in deny bla your_ip:22 ip fw-in deny bla your_ip:98 ip fw-in deny bla your_ip:137 ip fw-in deny bla your_ip:138 ... then that´s a _strong_ indication. Is there an appropriate selection of Debian packages for this? I wouldn´t know of one. hth, rw -- / Ing. Robert Waldner | Network Engineer | T: +43 1 89933 F: x533 \ \ [EMAIL PROTECTED] |KPNQwest/AT | Diefenbachg. 35, A-1150 /
Re: Port 12345?
To capture portscans, try portsentry. It'll dump warning messages into your syslog, and other log files, everytime a portscan trips it. Andrei -- First there was Explorer... Then came Expedition. This summer Coming to a street near you.. Ford Exterminator. -- Andrei Ivanov http://arshes.dyndns.org [EMAIL PROTECTED] 12402354 --
Re: Port 12345?
At 11:15 AM 11/28/00 +0100, you wrote: Is there an appropriate selection of Debian packages for this? I wouldn´t know of one. I have an old serial terminal plugged into a null modem cable. It sits just to the left of my main monitor and in syslog.conf I have *.* /dev/ttys1 So all syslogd output for all machines is displayed on it. All my linux boxes run tcplogd which logs connections - its not the greatest software around, but does okay. -- Criggie
Re: Port 12345?
Try ippl. It logs connection attempts. logcheck is a tool that scans your log files every hour and mails you the results. It's noisy to start with, but you can add events to your logcheck.ignore file to cut down on the false alarms for routine traffic. Willy Lee wrote: How can I tell when I am being portscanned? Is there an appropriate selection of Debian packages for this? -- Michael J. Smith [EMAIL PROTECTED] 2250 Patterson #25 Eugene, OR 97405 (541)346-7562
Re: Port 12345?
On Wed, 29 Nov 2000 07:41:54 +1300, C. Falconer writes: At 11:15 AM 11/28/00 +0100, you wrote: Is there an appropriate selection of Debian packages for this? I wouldn´t know of one. I have an old serial terminal plugged into a null modem cable. It sits just to the left of my main monitor and in syslog.conf I have *.* /dev/ttys1 So all syslogd output for all machines is displayed on it. That´s great for general purposes alone, but it doesn´t mail you and say: hey, someone just port-scanned you or the like. and that´s what I think Mario had in mind. All my linux boxes run tcplogd which logs connections - its not the greatest software around, but does okay. Simple plain old remote syslogging is a great thing, but has it´s limits also. rw -- / Ing. Robert Waldner | Network Engineer | T: +43 1 89933 F: x533 \ \ [EMAIL PROTECTED] |KPNQwest/AT | Diefenbachg. 35, A-1150 /
Re: Port 12345?
On Tue, 28 Nov 2000 21:10:10 +0100, Robert Waldner said: That´s great for general purposes alone, but it doesn´t mail you and say: hey, someone just port-scanned you or the like. and that´s what I think Mario had in mind. Logcheck and Portsentry, used together, will do that. -- Andrew
Re: Port 12345?
On Tue, 28 Nov 2000 20:25:54 GMT, Pollywog writes: On Tue, 28 Nov 2000 21:10:10 +0100, Robert Waldner said: That´s great for general purposes alone, but it doesn´t mail you and say: hey, someone just port-scanned you or the like. and that´s what I think Mario had in mind. Logcheck and Portsentry, used together, will do that. As soon as I figure out how to get portsentry to mail -s `$TARGET$ attempted bla` (I guess some 6 hours of sleep away ;-) ) I´ll be a convert from my homegrown script that I use for that currently. Nice thingie. rw -- / Ing. Robert Waldner | Network Engineer | T: +43 1 89933 F: x533 \ \ [EMAIL PROTECTED] |KPNQwest/AT | Diefenbachg. 35, A-1150 /
Re: Port 12345?
Lo, on , November 28, Willy Lee did write: Robert == Robert Waldner [EMAIL PROTECTED] writes: On Tue, 28 Nov 2000 00:51:09 +0100, Svante Signell writes: Anyone knows what port 12345TCP is used for and which OSes are vulnerable? 12345 is NetBus (according to www.snort.org), vulnerable is everything where NetBus runs ;-) eg WinEverything=95 portscans Note: I am on a dial-up connection. For you with fixed network access, how often do this happen, a few times a day? 10-15/week. cheers, rw How can I tell when I am being portscanned? Is there an appropriate selection of Debian packages for this? As someone else said, you can often see it in your system logs---IF you have your kernel configured with IP firewalling AND if you have your firewall definition set to log blocked packets. For the 2.2 kernel series, see the ipchains(8) manpage. The only dedicated software package that I know of for this sort of thing is PortSentry, at http://www.psionic.com/abacus/portsentry/ (or do a FreshMeat search), but it's only distributed as a tarball, not as a Debian package. Richard
Re: Port 12345?
On Tue, 28 Nov 2000 23:08:43 +0100, Robert Waldner said: On Tue, 28 Nov 2000 20:25:54 GMT, Pollywog writes: On Tue, 28 Nov 2000 21:10:10 +0100, Robert Waldner said: That´s great for general purposes alone, but it doesn´t mail you and say: hey, someone just port-scanned you or the like. and that´s what I think Mario had in mind. Logcheck and Portsentry, used together, will do that. As soon as I figure out how to get portsentry to mail -s `$TARGET$ attempted bla` (I guess some 6 hours of sleep away ;-) ) I´ll be a convert from my homegrown script that I use for that currently. Logcheck will do that for you. -- Andrew
Re: Port 12345?
On Tue, Nov 28, 2000 at 05:27:45PM -0600, Richard Cobbe wrote: The only dedicated software package that I know of for this sort of thing is PortSentry, at http://www.psionic.com/abacus/portsentry/ (or do a FreshMeat search), but it's only distributed as a tarball, not as a Debian package. An official deb is now available for woody. On a system running potato you can find an unoffical deb via the apt source -- deb http://honk.physik.uni-konstanz.de/~agx/debian potato main -- I went to a Grateful Dead Concert and they played for SEVEN hours. Great song. -- Fred Reuss
Re: Port 12345?
Netbus Ganabus back door Netbus back door Netbus Picture back door. Check it out: http://www.snort.org/Database/portsearch.asp Svante Signell wrote: Anyone knows what port 12345TCP is used for and which OSes are vulnerable? (my guess is w9x) I'm getting portscanned every now and the on this specific port. Other (known) ports are 31337UDP Back Orifice, 20034 NetBus Pro etc. but which one is corresponding to 12345? Ports being attacked the last year (some more than once): 1TCP: tcpmux 79TCP: finger 119TCP: nntp 143TCP: imap2 161UDP: snmp 1524TCP: ingreslock 12345TCP: ?? 20034TCP: Netbus Pro 31337UDP: Back Orifice Note: I am on a dial-up connection. For you with fixed network access, how often do this happen, a few times a day? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- I was on a Boston to New York shuttle flight that gets stuck on the runway for 3 hours with no explanation. Worse, I'm sitting in front of three idiot consultants from Razorfish who spend the whole time talking loudly and incessantly. Remarkably, not one word of it resembled any productive activity in the slightest. 'So, I conducted a series of group discussion sessions to quantify how they establish their procedures.' 'But, Bianca, how did you formulate the framework for evaluating their paradigms?' My favorite line - Bianca is irate because a client asked her for some concrete bit of information: 'Can you believe that? Hello? I'm an Information Architect, not a Knowledge Engineer!' --dump() on slashdot
