I saw this in my logs last year...
Dec 30 22:51:23 named[2728]: unapproved query from [200.230.208.18].2040 for
"version.bind"
Guess the Boys from Brazil were checking to see if I'm running a
compromisable version of BIND.
%-> socks 1080/tcp # socks proxy server
%-> socks 1080/udp # socks proxy server
%->
%-> Most recent snoop:
%->
%-> Active System Attack Alerts
%-> =-=-=-=-=-=-=-=-=-=-=-=-=-=
%-> Jan 3 17:11:25 ns portsentry[545]: attackalert: Connect from
%-> host: user-33qtnd1.dialup.mindspring.com/199.174.221.161 to TCP
%-> port: 1080
%-> Jan 3 17:11:26 ns portsentry[545]: attackalert: Host
%-> 199.174.221.161 has been
%-> blocked via wrappers with string: "ALL: 199.174.221.161"
%-> Jan 3 17:11:26 ns portsentry[545]: attackalert: Host
%-> 199.174.221.161 has been
%-> blocked via dropped route using command: "/sbin/ipchains -I
%-> input -s 199.174.221.161 -j DENY -l"
%-> Jan 3 17:11:26 ns portsentry[545]: attackalert: Connect from
%-> host: user-33qtnd1.dialup.mindspring.com/199.174.221.161 to TCP
%-> port: 1080
%-> Jan 3 17:11:26 ns portsentry[545]: attackalert: Host:
%-> 199.174.221.161 is
%-> already blocked. Ignoring
%->
%-> I don't know what they're looking for... my guess is some
%-> Mickeysoft garbage
%-> which I don't have but I don't know for sure.
1080 is for SOCKS (http://www.socks.nec.com/). Don't think there's a
vulnerability there... well, not a documented one at least. Normally, people
use SOCKS to enhance security, as a type of firewall. Been thinking about
implementing that here actually.
I'm not 100% sure that portsentry is a good solution. It seems to react to a
lot of legitimate traffic.
-- Juha
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
