[ale] Unusual scans
Jason Day
jasonday at worldnet.att.net
Fri Aug 22 10:44:50 EDT 2003
On Fri, Aug 22, 2003 at 09:35:07AM -0400, Jonathan Rickman wrote:
> On Thursday 21 August 2003 17:18, Jason Day wrote:
> > I'm seeing a lot of port scans today and yesterday to port 1 on my
> > firewall box. Anybody know what this might be? What service binds to
> > port 1?
>
> How are you detecting them? Do you have a packet capture?
I'm using portsentry and ipchains. Sorry, no packet capture. Here's a
sample log entry:
Aug 21 19:25:34 spiderman portsentry[344]: attackalert: TCP SYN/Normal
scan from host: 24.92.223.189/24.92.223.189 to TCP port: 1
Aug 21 19:25:34 spiderman portsentry[344]: attackalert: Host
24.92.223.189 has been blocked via wrappers with string: "ALL:
24.92.223.189 : DENY"
Aug 21 19:25:34 spiderman portsentry[344]: attackalert: Host
24.92.223.189 has been blocked via dropped route using command:
"/sbin/ipchains -I input -s 24.92.223.189 -j REJECT"
Note that when I say "a lot", I mean like 10 in a day. I'm just on a
cable modem, and I'm fortunate enough to apparently only get the
standard script kiddie scans. But 10 scans to port 1 is unusual enough
that I thought I'd ask around.
Haven't seen any today, though...
--
Jason Day jasonday at
http://jasonday.home.att.net worldnet dot att dot net
"Of course I'm paranoid, everyone is trying to kill me."
-- Weyoun-6, Star Trek: Deep Space 9
_______________________________________________
Ale mailing list
Ale at ale.org
http://www.ale.org/mailman/listinfo/ale
More information about the Ale
mailing list