Can anyone tell me if this is something to worry about? Does this mean port-sentry has blocked this individual, and therefore we do not have to do anything?
Jul 18 23:14:01 www portsentry[23622]: attackalert: SYN/Normal scan from host: ACA566B7.ipt.aol.com/172.165.102.183 to TCP port: 12345
Jul 18 23:14:01 www portsentry[23622]: attackalert: Host 172.165.102.183 has been blocked via wrappers with string: "ALL: 172.165.102.183"
Jul 18 23:14:01 www portsentry[23622]: attackalert: SYN/Normal scan from host: ACA566B7.ipt.aol.com/172.165.102.183 to TCP port: 12345
Jul 18 23:14:01 www portsentry[23622]: attackalert: Host: ACA566B7.ipt.aol.com/172.165.102.183 is already blocked Ignoring

Personally I don't even bother with these messages, as I read the actual logs of the server for any odd behaviour. This sounds like a cpanel server, how long have you had this server online for (I'm guessing not long? The reason I ask is because you will get these reports every night or morning depending on where you live.

-Steven

No, it's not a new server, but we just installed portsentry and we're not used to the messages.

Also, just for our own knowledge, what does the "already blocked Ignoring" mean? Has the system blocked the IP of the person scanning, or is it just ignoring them?

Thanks

You will see those most everyday , in your email's from the server ..it's not unusual

lol its an AOLer too

i would be shaking in my boots

It looks like someone portscanned you, and portsentry blocked them. Portscans are often used to find vulnerable services on a host, but something like PortSentry will block anyone who tries to portscan you. Portscans are often done on random netblocks by 'script kiddies' -- I wouldn't worry much about it.

I'm not Linux guru, but I have dome my hacking and cracking on Windows PC's years ago.

All I can say , don't worry about those lines. Someone just been running port scanner.

You enter IP range and it keeps scanning all IP's looking for open port that has been specified.

12345 port is used by very popular program "net bus" , it is "wanna be hacker's" tool, I have played with it as well.

It works only on Win OS, when net bus patch is installed in the system, it opens port 12345 and waits for someone to connect.

When you connect you virtually can control the system. Delete/view files, open CDrom, see what is being typed on keyboard listen the micraphone.

Most virus removal programs will remove net bus from the system if you have it.;)

Originally posted by max2rk
I have dome my hacking and cracking on Windows PC's years ago.

*giggle*

There are a few ways you can set up portsentry (if memory serves me) -- so check to see if the IP is listed as blocked in your iptables rules

iptables -L -n

or check to see if the IP is listed in /etc/hosts.deny (although this only works if you're using TCP wrappers).

If the IP address appears in one of these locations, you're generally safe now. Just be sure to save your iptables/ipchains rules (and load them at system start) to make sure this IP remains blocked from reboot to reboot.

Dan

Originally posted by hosticle


*giggle*

Ditto... *giggle* :)

Why giggle? This guy is a pro hacker don't mess with him ;)