Results 1 to 3 of 3
  1. #1
    Join Date
    Apr 2001
    Location
    Montana USA
    Posts
    673

    Question detecting a portscanner

    We've got a customer who is running some sort of web-app and probing port 1080 on other networks. We know it's a web-app because the source IP in reports from other providers have all pointed at webservers with no shell access.

    I am looking for ways to detect this user and not coming up with anything so far. Any good ideas? Some way to use tcpdump or netstat perhaps?
    John Masterson
    Former Hosting Company Owner

  2. #2
    Join Date
    Apr 2001
    Location
    Montana USA
    Posts
    673
    Got it:

    First,

    netstat -pn | grep 1080


    The program name is displayed in the last field of output.

    Then,

    ps -auxwww | grep [program name]

    The username is the first field.

    Then, delete the user account. Adios, russian hacker.
    John Masterson
    Former Hosting Company Owner

  3. #3
    Join Date
    Mar 2002
    Location
    Magnolia, DE, USA
    Posts
    41
    Set up ipchains to null route any outbound port 1080 traffic. I'm too tired to write the exact code but it would not be hard to do, and then just drop the command in to your rc.local file to run. When the guy gives up just take it out.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •