Re: Compromised-machine?? netbus- request from my debian-sid machine to outside IP to port 12345
Alvin Oga wrote: hi ya quadpolar :-) On Thu, 27 May 2004, tripolar wrote: I dont think so- The only thing I know of is firestarter (firewall). I received some more messages the same except this time ports 1234 ( service subseven) but going to a different outside IP. post your logs (unedited, except for ip# ) you are reading/interpretting - you don't care that 100's of script kiddies are trying to make 1000's of attempts to get into your pc - consider it a free audit of your systems - if they got in ... you've got a serious, but solvable major problem What logs? here are a few lines from hit list time:May 27 21:22:29 in: out:eth1 port:12345 source:192.168.1.1 dest:81.53.*.* len:44 tos:0x00 protocol:tcp service:netbus time:May 27 22:10:38 in: out:eth1 port:1234 source:192.168.1.1 dest:63.207.*.* len:40 tos:0x00 protocol:tcp service:subseven what is the output of netstat -nv netstat -nv only brought up two addresses- my isps mail servers:995 - you are looking for foreign address on whacky ports that have established connections to your local pc - if you cannot explain any of the those outside machines connected to your pc... you've probably need to get comments from the list what does this line mean c ya alvin I had had many ports forwarded from hardware firewall/router (HFR) to debian-sid machine because of certain programs ( which I have since shut down )and then I removed all port forwarding rules from HFR to debian pc. I will just keep an eye out on the hit list. Thanks - This didnt go through to the list the first time so here goes again. Also since then I slowly opened 1 port at a time after starting 1 of the programs. I see the requests leaving my machine again so I have tracked down the culprit. Thanks -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Compromised-machine?? netbus- request from my debian-sid machine to outside IP to port 12345
hi ya quadpolar :-) On Thu, 27 May 2004, tripolar wrote: I dont think so- The only thing I know of is firestarter (firewall). I received some more messages the same except this time ports 1234 ( service subseven) but going to a different outside IP. post your logs (unedited, except for ip# ) you are reading/interpretting - you don't care that 100's of script kiddies are trying to make 1000's of attempts to get into your pc - consider it a free audit of your systems - if they got in ... you've got a serious, but solvable major problem what is the output of netstat -nv - you are looking for foreign address on whacky ports that have established connections to your local pc - if you cannot explain any of the those outside machines connected to your pc... you've probably need to get comments from the list what does this line mean c ya alvin -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Compromised-machine?? netbus- request from my debian-sid machine to outside IP to port 12345
tripolar [EMAIL PROTECTED] writes: I dont think so- The only thing I know of is firestarter (firewall). I received some more messages the same except this time ports 1234 ( service subseven) but going to a different outside IP. What does netstat tell you what's listening? -- Paul Johnson [EMAIL PROTECTED] Linux. You can find a worse OS, but it costs more. pgpT6rd2y8X0c.pgp Description: PGP signature
Re: Compromised-machine?? netbus- request from my debian-sid machine to outside IP to port 12345
Alvin Oga wrote: hi ya quadpolar :-) On Thu, 27 May 2004, tripolar wrote: I dont think so- The only thing I know of is firestarter (firewall). I received some more messages the same except this time ports 1234 ( service subseven) but going to a different outside IP. post your logs (unedited, except for ip# ) you are reading/interpretting - you don't care that 100's of script kiddies are trying to make 1000's of attempts to get into your pc - consider it a free audit of your systems - if they got in ... you've got a serious, but solvable major problem What logs? here are a few lines from hit list time:May 27 21:22:29 in: out:eth1 port:12345 source:192.168.1.1 dest:81.53.*.* len:44 tos:0x00 protocol:tcp service:netbus time:May 27 22:10:38 in: out:eth1 port:1234 source:192.168.1.1 dest:63.207.*.* len:40 tos:0x00 protocol:tcp service:subseven what is the output of netstat -nv netstat -nv only brought up two addresses- my isps mail servers - you are looking for foreign address on whacky ports that have established connections to your local pc - if you cannot explain any of the those outside machines connected to your pc... you've probably need to get comments from the list what does this line mean c ya alvin I had had many ports forwarded from hardware firewall/router (HFR) to debian-sid machine because of certain programs ( which I have since shut down )and then I removed all port forwarding rules from HFR to debian pc. I will just keep an eye out on the hit list. Thanks -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Compromised-machine?? netbus- request from my debian-sid machine to outside IP to port 12345
cablemodemhardware firewall/routerdebian-sid machine on LAN running firestarter (GUI firewall program). I see hits from my debian machine to 81.53.*.* port 12345 - under service it says netbus I dont think I installed netbus. Could my machine be compromised? Thanks -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Compromised-machine?? netbus- request from my debian-sid machine to outside IP to port 12345
tripolar [EMAIL PROTECTED] writes: I see hits from my debian machine to 81.53.*.* port 12345 - under service it says netbus I dont think I installed netbus. Could my machine be compromised? I doubt it. Are you using PortSentry or some other port monitoring system? -- Paul Johnson [EMAIL PROTECTED] Linux. You can find a worse OS, but it costs more. pgpxdsmlhf6DJ.pgp Description: PGP signature
Re: Compromised-machine?? netbus- request from my debian-sid machine to outside IP to port 12345
Paul Johnson wrote: tripolar [EMAIL PROTECTED] writes: I see hits from my debian machine to 81.53.*.* port 12345 - under service it says netbus I dont think I installed netbus. Could my machine be compromised? I doubt it. Are you using PortSentry or some other port monitoring system? I dont think so- The only thing I know of is firestarter (firewall). I received some more messages the same except this time ports 1234 ( service subseven) but going to a different outside IP. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Port 12345?
On Tue, 28 Nov 2000 23:49:11 GMT, Pollywog writes: On Tue, 28 Nov 2000 23:08:43 +0100, Robert Waldner said: As soon as I figure out how to get portsentry to mail -s `$TARGET$ attempted bla` (I guess some 6 hours of sleep away ;-) ) I´ll be a convert from my homegrown script that I use for that currently. Logcheck will do that for you. No need for yet another piece of software, in portsentry.conf: KILL_RUN_CMD=/usr/bin/mail -s `connection attempt from $TARGET$` \ waldner rw -- / Ing. Robert Waldner | Network Engineer | T: +43 1 89933 F: x533 \ \ [EMAIL PROTECTED] |KPNQwest/AT | Diefenbachg. 35, A-1150 /
Re: Port 12345?
On Tue, 28 Nov 2000 00:51:09 +0100, Svante Signell writes: Anyone knows what port 12345TCP is used for and which OSes are vulnerable? 12345 is NetBus (according to www.snort.org), vulnerable is everything where NetBus runs ;-) eg WinEverything=95 portscans Note: I am on a dial-up connection. For you with fixed network access, how often do this happen, a few times a day? 10-15/week. cheers, rw -- / Ing. Robert Waldner | Network Engineer | T: +43 1 89933 F: x533 \ \ [EMAIL PROTECTED] |KPNQwest/AT | Diefenbachg. 35, A-1150 /
Re: Port 12345?
Robert == Robert Waldner [EMAIL PROTECTED] writes: On Tue, 28 Nov 2000 00:51:09 +0100, Svante Signell writes: Anyone knows what port 12345TCP is used for and which OSes are vulnerable? 12345 is NetBus (according to www.snort.org), vulnerable is everything where NetBus runs ;-) eg WinEverything=95 portscans Note: I am on a dial-up connection. For you with fixed network access, how often do this happen, a few times a day? 10-15/week. cheers, rw How can I tell when I am being portscanned? Is there an appropriate selection of Debian packages for this? =wl -- Albert ``Willy'' Lee, Emacs user, game programmer They call me CRAZY - just because I DARE to DREAM of a RACE of SUPERHUMAN MONSTERS!
Re: Port 12345?
On 28 Nov 2000 02:03:51 PST, Willy Lee writes: How can I tell when I am being portscanned? By looking at your log-files, I don´t have them at hand now, but if you see something like: ip fw-in deny bla your_ip:21 ip fw-in deny bla your_ip:22 ip fw-in deny bla your_ip:98 ip fw-in deny bla your_ip:137 ip fw-in deny bla your_ip:138 ... then that´s a _strong_ indication. Is there an appropriate selection of Debian packages for this? I wouldn´t know of one. hth, rw -- / Ing. Robert Waldner | Network Engineer | T: +43 1 89933 F: x533 \ \ [EMAIL PROTECTED] |KPNQwest/AT | Diefenbachg. 35, A-1150 /
Re: Port 12345?
To capture portscans, try portsentry. It'll dump warning messages into your syslog, and other log files, everytime a portscan trips it. Andrei -- First there was Explorer... Then came Expedition. This summer Coming to a street near you.. Ford Exterminator. -- Andrei Ivanov http://arshes.dyndns.org [EMAIL PROTECTED] 12402354 --
Re: Port 12345?
At 11:15 AM 11/28/00 +0100, you wrote: Is there an appropriate selection of Debian packages for this? I wouldn´t know of one. I have an old serial terminal plugged into a null modem cable. It sits just to the left of my main monitor and in syslog.conf I have *.* /dev/ttys1 So all syslogd output for all machines is displayed on it. All my linux boxes run tcplogd which logs connections - its not the greatest software around, but does okay. -- Criggie
Re: Port 12345?
Try ippl. It logs connection attempts. logcheck is a tool that scans your log files every hour and mails you the results. It's noisy to start with, but you can add events to your logcheck.ignore file to cut down on the false alarms for routine traffic. Willy Lee wrote: How can I tell when I am being portscanned? Is there an appropriate selection of Debian packages for this? -- Michael J. Smith [EMAIL PROTECTED] 2250 Patterson #25 Eugene, OR 97405 (541)346-7562
Re: Port 12345?
On Wed, 29 Nov 2000 07:41:54 +1300, C. Falconer writes: At 11:15 AM 11/28/00 +0100, you wrote: Is there an appropriate selection of Debian packages for this? I wouldn´t know of one. I have an old serial terminal plugged into a null modem cable. It sits just to the left of my main monitor and in syslog.conf I have *.* /dev/ttys1 So all syslogd output for all machines is displayed on it. That´s great for general purposes alone, but it doesn´t mail you and say: hey, someone just port-scanned you or the like. and that´s what I think Mario had in mind. All my linux boxes run tcplogd which logs connections - its not the greatest software around, but does okay. Simple plain old remote syslogging is a great thing, but has it´s limits also. rw -- / Ing. Robert Waldner | Network Engineer | T: +43 1 89933 F: x533 \ \ [EMAIL PROTECTED] |KPNQwest/AT | Diefenbachg. 35, A-1150 /
Re: Port 12345?
On Tue, 28 Nov 2000 21:10:10 +0100, Robert Waldner said: That´s great for general purposes alone, but it doesn´t mail you and say: hey, someone just port-scanned you or the like. and that´s what I think Mario had in mind. Logcheck and Portsentry, used together, will do that. -- Andrew
Re: Port 12345?
On Tue, 28 Nov 2000 20:25:54 GMT, Pollywog writes: On Tue, 28 Nov 2000 21:10:10 +0100, Robert Waldner said: That´s great for general purposes alone, but it doesn´t mail you and say: hey, someone just port-scanned you or the like. and that´s what I think Mario had in mind. Logcheck and Portsentry, used together, will do that. As soon as I figure out how to get portsentry to mail -s `$TARGET$ attempted bla` (I guess some 6 hours of sleep away ;-) ) I´ll be a convert from my homegrown script that I use for that currently. Nice thingie. rw -- / Ing. Robert Waldner | Network Engineer | T: +43 1 89933 F: x533 \ \ [EMAIL PROTECTED] |KPNQwest/AT | Diefenbachg. 35, A-1150 /
Re: Port 12345?
Lo, on , November 28, Willy Lee did write: Robert == Robert Waldner [EMAIL PROTECTED] writes: On Tue, 28 Nov 2000 00:51:09 +0100, Svante Signell writes: Anyone knows what port 12345TCP is used for and which OSes are vulnerable? 12345 is NetBus (according to www.snort.org), vulnerable is everything where NetBus runs ;-) eg WinEverything=95 portscans Note: I am on a dial-up connection. For you with fixed network access, how often do this happen, a few times a day? 10-15/week. cheers, rw How can I tell when I am being portscanned? Is there an appropriate selection of Debian packages for this? As someone else said, you can often see it in your system logs---IF you have your kernel configured with IP firewalling AND if you have your firewall definition set to log blocked packets. For the 2.2 kernel series, see the ipchains(8) manpage. The only dedicated software package that I know of for this sort of thing is PortSentry, at http://www.psionic.com/abacus/portsentry/ (or do a FreshMeat search), but it's only distributed as a tarball, not as a Debian package. Richard
Re: Port 12345?
On Tue, 28 Nov 2000 23:08:43 +0100, Robert Waldner said: On Tue, 28 Nov 2000 20:25:54 GMT, Pollywog writes: On Tue, 28 Nov 2000 21:10:10 +0100, Robert Waldner said: That´s great for general purposes alone, but it doesn´t mail you and say: hey, someone just port-scanned you or the like. and that´s what I think Mario had in mind. Logcheck and Portsentry, used together, will do that. As soon as I figure out how to get portsentry to mail -s `$TARGET$ attempted bla` (I guess some 6 hours of sleep away ;-) ) I´ll be a convert from my homegrown script that I use for that currently. Logcheck will do that for you. -- Andrew
Re: Port 12345?
On Tue, Nov 28, 2000 at 05:27:45PM -0600, Richard Cobbe wrote: The only dedicated software package that I know of for this sort of thing is PortSentry, at http://www.psionic.com/abacus/portsentry/ (or do a FreshMeat search), but it's only distributed as a tarball, not as a Debian package. An official deb is now available for woody. On a system running potato you can find an unoffical deb via the apt source -- deb http://honk.physik.uni-konstanz.de/~agx/debian potato main -- I went to a Grateful Dead Concert and they played for SEVEN hours. Great song. -- Fred Reuss
Port 12345?
Anyone knows what port 12345TCP is used for and which OSes are vulnerable? (my guess is w9x) I'm getting portscanned every now and the on this specific port. Other (known) ports are 31337UDP Back Orifice, 20034 NetBus Pro etc. but which one is corresponding to 12345? Ports being attacked the last year (some more than once): 1TCP: tcpmux 79TCP: finger 119TCP: nntp 143TCP: imap2 161UDP: snmp 1524TCP: ingreslock 12345TCP: ?? 20034TCP: Netbus Pro 31337UDP: Back Orifice Note: I am on a dial-up connection. For you with fixed network access, how often do this happen, a few times a day?
Re: Port 12345?
Netbus Ganabus back door Netbus back door Netbus Picture back door. Check it out: http://www.snort.org/Database/portsearch.asp Svante Signell wrote: Anyone knows what port 12345TCP is used for and which OSes are vulnerable? (my guess is w9x) I'm getting portscanned every now and the on this specific port. Other (known) ports are 31337UDP Back Orifice, 20034 NetBus Pro etc. but which one is corresponding to 12345? Ports being attacked the last year (some more than once): 1TCP: tcpmux 79TCP: finger 119TCP: nntp 143TCP: imap2 161UDP: snmp 1524TCP: ingreslock 12345TCP: ?? 20034TCP: Netbus Pro 31337UDP: Back Orifice Note: I am on a dial-up connection. For you with fixed network access, how often do this happen, a few times a day? -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED] -- I was on a Boston to New York shuttle flight that gets stuck on the runway for 3 hours with no explanation. Worse, I'm sitting in front of three idiot consultants from Razorfish who spend the whole time talking loudly and incessantly. Remarkably, not one word of it resembled any productive activity in the slightest. 'So, I conducted a series of group discussion sessions to quantify how they establish their procedures.' 'But, Bianca, how did you formulate the framework for evaluating their paradigms?' My favorite line - Bianca is irate because a client asked her for some concrete bit of information: 'Can you believe that? Hello? I'm an Information Architect, not a Knowledge Engineer!' --dump() on slashdot