Results 1 to 11 of 11
-
04-22-2004, 11:27 PM #1Junior Guru Wannabe
- Join Date
- Mar 2004
- Posts
- 78
Any one notice the mass of scans lately?
Im cat -f my logs and seems like every 5-15mins. There atleast 3 ip sources that do scans on like 5 range ports.
Anyone else getting them? Most of them seem to be coming from southbell.net ip ranges.
-
04-23-2004, 01:06 AM #2Web Hosting Master
- Join Date
- Dec 2002
- Location
- The Shadows
- Posts
- 2,925
Them l33t h4x0r3 trying to break in again?
Make sure you have a good firewall, look into something like snort(is that stuff still around?), and some other stuff, like portsentry, and tripwire.
If you have a good setup, you have very little(not, I am not saying you have nothing to worry about) to worry about. You should always be worried, but remember, the only sure way to protect your server, is to unplug it, so don't dig a early grave by worrying about portscans.
Just keep everything up to day, and have all the good security software installed, and portscans shouldn't hurt you to much. If all else fails, set it up to immediately drop any IPs that scan a certain port.Dan Sheppard ~ Freelance whatever
-
04-23-2004, 01:12 AM #3Junior Guru Wannabe
- Join Date
- Mar 2004
- Posts
- 78
I spent 15 hours a day last for last 4 day hardening it and monitoring it nearly every few hours now. I starting to relax but man having so much port scans is worring. Im using APF. Every port is block besides the ones that needed.
-
04-23-2004, 01:29 AM #4Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
http://www.cipherdyne.com/psad/
check that software outSteven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
04-23-2004, 05:11 AM #5Aspiring Evangelist
- Join Date
- Jun 2002
- Posts
- 362
probably the latest variants of phatbot going round, id expect more of the same for a while
-
04-23-2004, 05:34 AM #6Web Hosting Master
- Join Date
- Jan 2002
- Location
- Home, chair
- Posts
- 723
That's happening all the time, get used to it
-
04-23-2004, 09:25 AM #7Web Hosting Master
- Join Date
- Feb 2004
- Posts
- 1,269
i use snort and snortsam
i made a rule that, when snort detects nmap or a few other kinds of scan, it blocks the IP for 6 hours
-
04-23-2004, 09:36 AM #8Web Hosting Evangelist
- Join Date
- Apr 2002
- Posts
- 499
cool link linuxguy
-
04-23-2004, 10:58 AM #9Web Hosting Master
- Join Date
- Dec 2001
- Posts
- 5,221
Greetings:
The scary part of it all is how quickly the hackers try to hack.
A few months back we put up a specialty mail server.
Within 15 minutes of the server being live for the 1st time on the Net, there were hackers trying to brute force SSH (yes, they were blocked by our security measures).
Thank you.
-
04-23-2004, 06:57 PM #10Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Originally posted by dynamicnet
Greetings:
The scary part of it all is how quickly the hackers try to hack.
A few months back we put up a specialty mail server.
Within 15 minutes of the server being live for the 1st time on the Net, there were hackers trying to brute force SSH (yes, they were blocked by our security measures).
Thank you.
Dude you do relize its not always hackers, its automated "bots" or worms doing it, which is why it happens so fast. They scan random ranges and imagine 500,000 computers doing the same, you have to expect it. I wouldn't be surprised if it happened 20 secs after putting box online. Its a way of life as you say it, get used to itSteven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance
-
04-23-2004, 06:59 PM #11Problem Solver
- Join Date
- Mar 2003
- Location
- California USA
- Posts
- 13,681
Originally posted by Heymish
probably the latest variants of phatbot going round, id expect more of the same for a while
Phatbot Feature List
(Many of these features are also present in Agobot)
- Has the ability to polymorph on install in an attempt to evade antivirus signatures as it spreads from system to system
- Checks to see if it is allowed to send mail to AOL, for spamming purposes
- Can steal Windows Product Keys
- Can run an IDENT server on demand
- Starts an FTP server to deliver the trojan binary to exploited hosts - ends the FTP session with the message "221 Goodbye, have a good infection ."
- Can run a socks, HTTP or HTTPS proxy on demand
- Can start a redirection service for GRE or TCP protocols
- Can scan for and use the following exploits to spread itself to new victims:
- DCOM
- DCOM2
- MyDoom backdoor
- DameWare
- Locator Service (Update: This exploit appears to be non-functional)
- Shares with weak passwords
- WebDav
- WKS - Windows Workstation Service
- <B>Update</B> 2004-04-20 - Newer versions of Agobot and Phatbot have added scanner modules for:
- Bagle virus backdoor
- CPanel resetpass vulnerability
- UPnP (MS01-059)
- MSSQL weak administrator passwords
- Attempts to kill instances of MSBlast, Welchia and Sobig.F
- Can sniff IRC network traffic looking for logins to other botnets and IRC operator passwords
- Can sniff FTP network traffic for usernames and passwords
- Can sniff HTTP network traffic for Paypal cookies
- Contains a list of nearly 600 processes to kill if found on an infected system.Some are antivirus software, others are competing viruses/trojans
- Tests the available bandwidth by posting large amounts of data to the following websites:
- www.st.lib.keio.ac.jp
- www.lib.nthu.edu.tw
- www.stanford.edu
- www.xo.net
- www.utwente.nl
- www.schlund.net
- Can steal AOL account logins and passwords
- Can steal CD Keys for several popular games
- Can harvest emails from the web for spam purposes
- Can harvest emails from the local system for spam purposes
Can do all of this and you dont need to know how to hack. People have botnets of 5k+ scanning all ranges you can think of.Steven Ciaburri | Industry's Best Server Management - Rack911.com
Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance