Results 1 to 11 of 11
  1. #1
    Join Date
    Mar 2004
    Posts
    78

    Thumbs up Any one notice the mass of scans lately?

    Im cat -f my logs and seems like every 5-15mins. There atleast 3 ip sources that do scans on like 5 range ports.

    Anyone else getting them? Most of them seem to be coming from southbell.net ip ranges.

  2. #2
    Join Date
    Dec 2002
    Location
    The Shadows
    Posts
    2,925
    Them l33t h4x0r3 trying to break in again?

    Make sure you have a good firewall, look into something like snort(is that stuff still around?), and some other stuff, like portsentry, and tripwire.

    If you have a good setup, you have very little(not, I am not saying you have nothing to worry about) to worry about. You should always be worried, but remember, the only sure way to protect your server, is to unplug it, so don't dig a early grave by worrying about portscans.

    Just keep everything up to day, and have all the good security software installed, and portscans shouldn't hurt you to much. If all else fails, set it up to immediately drop any IPs that scan a certain port.
    Dan Sheppard ~ Freelance whatever

  3. #3
    Join Date
    Mar 2004
    Posts
    78
    I spent 15 hours a day last for last 4 day hardening it and monitoring it nearly every few hours now. I starting to relax but man having so much port scans is worring. Im using APF. Every port is block besides the ones that needed.

  4. #4
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    http://www.cipherdyne.com/psad/

    check that software out
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  5. #5
    Join Date
    Jun 2002
    Posts
    362
    probably the latest variants of phatbot going round, id expect more of the same for a while

  6. #6
    Join Date
    Jan 2002
    Location
    Home, chair
    Posts
    723
    That's happening all the time, get used to it

  7. #7
    Join Date
    Feb 2004
    Posts
    1,269
    i use snort and snortsam

    i made a rule that, when snort detects nmap or a few other kinds of scan, it blocks the IP for 6 hours

  8. #8
    cool link linuxguy

  9. #9
    Greetings:

    The scary part of it all is how quickly the hackers try to hack.

    A few months back we put up a specialty mail server.

    Within 15 minutes of the server being live for the 1st time on the Net, there were hackers trying to brute force SSH (yes, they were blocked by our security measures).

    Thank you.
    ---
    Peter M. Abraham
    LinkedIn Profile

  10. #10
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Originally posted by dynamicnet
    Greetings:

    The scary part of it all is how quickly the hackers try to hack.

    A few months back we put up a specialty mail server.

    Within 15 minutes of the server being live for the 1st time on the Net, there were hackers trying to brute force SSH (yes, they were blocked by our security measures).

    Thank you.
     

    Dude you do relize its not always hackers, its automated "bots" or worms doing it, which is why it happens so fast. They scan random ranges and imagine 500,000 computers doing the same, you have to expect it. I wouldn't be surprised if it happened 20 secs after putting box online. Its a way of life as you say it, get used to it
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

  11. #11
    Join Date
    Mar 2003
    Location
    California USA
    Posts
    13,681
    Originally posted by Heymish
    probably the latest variants of phatbot going round, id expect more of the same for a while
     


    Phatbot Feature List
    (Many of these features are also present in Agobot)

    • Has the ability to polymorph on install in an attempt to evade antivirus signatures as it spreads from system to system
    • Checks to see if it is allowed to send mail to AOL, for spamming purposes
    • Can steal Windows Product Keys
    • Can run an IDENT server on demand
    • Starts an FTP server to deliver the trojan binary to exploited hosts - ends the FTP session with the message "221 Goodbye, have a good infection ."
    • Can run a socks, HTTP or HTTPS proxy on demand
    • Can start a redirection service for GRE or TCP protocols
    • Can scan for and use the following exploits to spread itself to new victims:
      • DCOM
      • DCOM2
      • MyDoom backdoor
      • DameWare
      • Locator Service (Update: This exploit appears to be non-functional)
      • Shares with weak passwords
      • WebDav
      • WKS - Windows Workstation Service
    • <B>Update</B> 2004-04-20 - Newer versions of Agobot and Phatbot have added scanner modules for:
      • Bagle virus backdoor
      • CPanel resetpass vulnerability
      • UPnP (MS01-059)
      • MSSQL weak administrator passwords
    • Attempts to kill instances of MSBlast, Welchia and Sobig.F
    • Can sniff IRC network traffic looking for logins to other botnets and IRC operator passwords
    • Can sniff FTP network traffic for usernames and passwords
    • Can sniff HTTP network traffic for Paypal cookies
    • Contains a list of nearly 600 processes to kill if found on an infected system.Some are antivirus software, others are competing viruses/trojans
    • Tests the available bandwidth by posting large amounts of data to the following websites:
      • www.st.lib.keio.ac.jp
      • www.lib.nthu.edu.tw
      • www.stanford.edu
      • www.xo.net
      • www.utwente.nl
      • www.schlund.net
    • Can steal AOL account logins and passwords
    • Can steal CD Keys for several popular games
    • Can harvest emails from the web for spam purposes
    • Can harvest emails from the local system for spam purposes

    &nbsp;

    Can do all of this and you dont need to know how to hack. People have botnets of 5k+ scanning all ranges you can think of.
    Steven Ciaburri | Industry's Best Server Management - Rack911.com
    Software Auditing - 400+ Vulnerabilities Found - Quote @ https://www.RACK911Labs.com
    Fully Managed Dedicated Servers (Las Vegas, New York City, & Amsterdam) (AS62710)
    FreeBSD & Linux Server Management, Security Auditing, Server Optimization, PCI Compliance

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •