Re: i've been port scanned. now what
Daniel, Wouldn't surprise me. Often these kinds of things are done from compromised hosts, so that they don't reveal the true identity of the attacker (who, obviously, doesn't want to go to jail ;). Regards, Alex. On Mon, 5 Mar 2001, [iso-8859-2] Szabó Dániel wrote: > Hello. > My packet filter ruleset catched somebody on port scanning one of our host. > He or she tryed to scan a very big port range from tcp 1 up to 32000 (think > with nmap), but my packet filter denied his/her queries (the kernel > generated 1 mb log in 3 minutes with the denied packets). I have his/her > ipv4 address, and i would like to ask, what should i do know? i figured out > from the ripe.net whois db, that the ip is owned by one of the ISP's from my > country, is it possible, that the scanner cracked the isp's machine, then > pushed the scan from there? > > Thanks, > Daniel > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] >
Re: i've been port scanned. now what
Daniel, Wouldn't surprise me. Often these kinds of things are done from compromised hosts, so that they don't reveal the true identity of the attacker (who, obviously, doesn't want to go to jail ;). Regards, Alex. On Mon, 5 Mar 2001, [iso-8859-2] Szabó Dániel wrote: > Hello. > My packet filter ruleset catched somebody on port scanning one of our host. > He or she tryed to scan a very big port range from tcp 1 up to 32000 (think > with nmap), but my packet filter denied his/her queries (the kernel > generated 1 mb log in 3 minutes with the denied packets). I have his/her > ipv4 address, and i would like to ask, what should i do know? i figured out > from the ripe.net whois db, that the ip is owned by one of the ISP's from my > country, is it possible, that the scanner cracked the isp's machine, then > pushed the scan from there? > > Thanks, > Daniel > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
RE: i've been port scanned. now what
Well, as a network administrator, I feel thusly: > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf > Of Tim Haynes > Subject: Re: i've been port scanned. now what > > > Nathan E Norman <[EMAIL PROTECTED]> writes: > > [snip] [...] > Sure, but I hope you didn't let rip with them on other networks > or sections > of network over which you didn't have control. If I get a scathing phone call about someone scanning, say, <1024, one time through, I'm a gonna be pissed. > What I'd suggest is that the OP applies a scale to it: a few ports scanned > in succession is not worthwhile waking a net-admin up for; a few ports > scanned multiple times over is getting more interesting; a large range of > points also bumps up the `score'; a repetitive attack on many sensitive > ports (111/tcp, 53/tcp, 21/tcp, you know the sort of thing) would have me > on the 'phone to whoever was listed in `whois`. 1-1024 one time through = whatever, dude.. >1024 || (<1024 more than once) = This is more interesting Poking at specific ports = more interesting DoS coming from my system = Dammit, you had better wake me up! > > You could always send an email to the ISP in question and ask them what > > they think; whether they want a copy of the logs, etc. > > Agreed. By the above scaling system, it could be worse. Still, it's > worthwhile asking `oi you, what's up, d'you mind?' or somesuch. A polite email at any level would be appreciated, I do agree.. Something along the lines of "Hey, I noticed something funny..." -- T. Alex Swavely "So I though to myself, 'if this were the coolest place in the world, would they have only one pair of rubber party pants?'"
Re: i've been port scanned. now what
On Tue, Mar 06, 2001 at 01:12:46AM +, Tim Haynes wrote: > > It's also possible that someone is just exploring. > > Then they need educating that scanning such a vast range of ports is an > unacceptable definition of `exploring'. Well, that's your opinion. I don't know that I agree ... presumably I've already tied down my services; why do I care if someone is checking which ports are open? When I did see an extensive portscan I usually fired off one of my own to see what was up at that end. More often than not it turned out to be a misconfigured monitoring box (ever seen Whatsup at work?) OTOH I'll always defend your right to apply your opinion to your machines; if you want to get after someone who's portscanning your machines I won't stop you :) > > As a former network administrator I wasn't too worried about portscans > > unless they were followed up with actual connections. I also used > > portscans when needed to discover what users on the network were up to. > > Sure, but I hope you didn't let rip with them on other networks or sections > of network over which you didn't have control. We had a /18; I had plenty of IPs to keep an eye on. Some people were less cooperative than others. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Inc. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpJIvxJu7O3y.pgp Description: PGP signature
Re: i've been port scanned. now what
On Mon, Mar 05, 2001 at 11:37:17PM +0100, Szab? D?niel <[EMAIL PROTECTED]> wrote: > My packet filter ruleset catched somebody on port scanning one of our host. > He or she tryed to scan a very big port range from tcp 1 up to 32000 (think > with nmap), but my packet filter denied his/her queries (the kernel > generated 1 mb log in 3 minutes with the denied packets). I have his/her > ipv4 address, and i would like to ask, what should i do know? i figured out > from the ripe.net whois db, that the ip is owned by one of the ISP's from my > country, is it possible, that the scanner cracked the isp's machine, then > pushed the scan from there? The scanner is probably connected to the internet through that ISP. Your response to the scan should probably depend on your opinion on portscans in general. Some people believe portscans are only used by crackers. If you agree with them a possible response to the scan is sending a mail with the IP of the scanner, the exact time of the scan and any other information you think might be relevant to [EMAIL PROTECTED] On the other hand, if you agree with people who believe portscans have legitimate uses (like finding out if someone is providing an ftp-server) you should probably do nothing since the scan was very general and not targeted at ports that are likely to have exploitable services on them). This is my current point of view. There's been a discussion about portscans not to long ago on debian-security (and probably any security related mailinglist) btw. Finally, one note of warning: whatever you do, don't try to think of portscans in terms of what I'd call the '(breaking in to)/(looking at a) house'-metaphor. IMHO it does not provide a suitable mapping of the situation to one in real life at all and I find it rapidly becoming very anoying. Tim ps. This is *not* an invitation to start another discussion about portscans. The issue has been beaten to death already and I'm convinced a simple google search will provide excellent writings about all views on the subject. -- Tim van Erven [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: i've been port scanned. now what
Nathan E Norman <[EMAIL PROTECTED]> writes: [snip] > Well, that all depends ... do you consider port scanning criminal > activity or not? > > I do not - I think you should view a port scan as a possible indication > that someone intends to attack you. Agreed. > It's also possible that someone is just exploring. Then they need educating that scanning such a vast range of ports is an unacceptable definition of `exploring'. > As a former network administrator I wasn't too worried about portscans > unless they were followed up with actual connections. I also used > portscans when needed to discover what users on the network were up to. Sure, but I hope you didn't let rip with them on other networks or sections of network over which you didn't have control. What I'd suggest is that the OP applies a scale to it: a few ports scanned in succession is not worthwhile waking a net-admin up for; a few ports scanned multiple times over is getting more interesting; a large range of points also bumps up the `score'; a repetitive attack on many sensitive ports (111/tcp, 53/tcp, 21/tcp, you know the sort of thing) would have me on the 'phone to whoever was listed in `whois`. > You could always send an email to the ISP in question and ask them what > they think; whether they want a copy of the logs, etc. Agreed. By the above scaling system, it could be worse. Still, it's worthwhile asking `oi you, what's up, d'you mind?' or somesuch. ~Tim -- Roobarb and Custard let fly |[EMAIL PROTECTED] with their secret weapon.|http://spodzone.org.uk/
Re: i've been port scanned. now what
On Mon, Mar 05, 2001 at 11:37:17PM +0100, Szabó Dániel wrote: > Hello. > My packet filter ruleset catched somebody on port scanning one of our host. > He or she tryed to scan a very big port range from tcp 1 up to 32000 (think > with nmap), but my packet filter denied his/her queries (the kernel > generated 1 mb log in 3 minutes with the denied packets). I have his/her > ipv4 address, and i would like to ask, what should i do know? i figured out > from the ripe.net whois db, that the ip is owned by one of the ISP's from my > country, is it possible, that the scanner cracked the isp's machine, then > pushed the scan from there? Well, that all depends ... do you consider port scanning criminal activity or not? I do not - I think you should view a port scan as a possible indication that someone intends to attack you. It's also possible that someone is just exploring. As a former network administrator I wasn't too worried about portscans unless they were followed up with actual connections. I also used portscans when needed to discover what users on the network were up to. You could always send an email to the ISP in question and ask them what they think; whether they want a copy of the logs, etc. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Inc. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton pgpOvFEmd6J8R.pgp Description: PGP signature
Re: i've been port scanned. now what
On Mon, Mar 05, 2001 at 11:37:17PM +0100, Szab? D?niel wrote: > Hello. > My packet filter ruleset catched somebody on port scanning one of our host. > He or she tryed to scan a very big port range from tcp 1 up to 32000 (think > with nmap), but my packet filter denied his/her queries (the kernel > generated 1 mb log in 3 minutes with the denied packets). I have his/her > ipv4 address, and i would like to ask, what should i do know? i figured out > from the ripe.net whois db, that the ip is owned by one of the ISP's from my > country, is it possible, that the scanner cracked the isp's machine, then > pushed the scan from there? It's a lot more likely that the person that scanned you is simply one of the ISP's customers. The ISP owns the IPs they assign to their customers' machines. If all the guy did was scan, then don't do anything unless he does it again or something. If there were any signs of an actual attack, like sending nastygrams to your web server or something, then you should contact his ISP and show them the log. (My philosophy is that portscanning is more or less innocent and curiosity driven, and so shouldn't be punished unless it causes a DoS or something. If you feel otherwise, you might want to show the logs you have to the scanner's ISP, with timestamp, so they can figure out who had that IP at that time. I think that would be going to more trouble than it's worth, though.) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE
i've been port scanned. now what
Hello. My packet filter ruleset catched somebody on port scanning one of our host. He or she tryed to scan a very big port range from tcp 1 up to 32000 (think with nmap), but my packet filter denied his/her queries (the kernel generated 1 mb log in 3 minutes with the denied packets). I have his/her ipv4 address, and i would like to ask, what should i do know? i figured out from the ripe.net whois db, that the ip is owned by one of the ISP's from my country, is it possible, that the scanner cracked the isp's machine, then pushed the scan from there? Thanks, Daniel
RE: i've been port scanned. now what
Well, as a network administrator, I feel thusly: > -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf > Of Tim Haynes > Subject: Re: i've been port scanned. now what > > > Nathan E Norman <[EMAIL PROTECTED]> writes: > > [snip] [...] > Sure, but I hope you didn't let rip with them on other networks > or sections > of network over which you didn't have control. If I get a scathing phone call about someone scanning, say, <1024, one time through, I'm a gonna be pissed. > What I'd suggest is that the OP applies a scale to it: a few ports scanned > in succession is not worthwhile waking a net-admin up for; a few ports > scanned multiple times over is getting more interesting; a large range of > points also bumps up the `score'; a repetitive attack on many sensitive > ports (111/tcp, 53/tcp, 21/tcp, you know the sort of thing) would have me > on the 'phone to whoever was listed in `whois`. 1-1024 one time through = whatever, dude.. >1024 || (<1024 more than once) = This is more interesting Poking at specific ports = more interesting DoS coming from my system = Dammit, you had better wake me up! > > You could always send an email to the ISP in question and ask them what > > they think; whether they want a copy of the logs, etc. > > Agreed. By the above scaling system, it could be worse. Still, it's > worthwhile asking `oi you, what's up, d'you mind?' or somesuch. A polite email at any level would be appreciated, I do agree.. Something along the lines of "Hey, I noticed something funny..." -- T. Alex Swavely "So I though to myself, 'if this were the coolest place in the world, would they have only one pair of rubber party pants?'" -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: i've been port scanned. now what
On Tue, Mar 06, 2001 at 01:12:46AM +, Tim Haynes wrote: > > It's also possible that someone is just exploring. > > Then they need educating that scanning such a vast range of ports is an > unacceptable definition of `exploring'. Well, that's your opinion. I don't know that I agree ... presumably I've already tied down my services; why do I care if someone is checking which ports are open? When I did see an extensive portscan I usually fired off one of my own to see what was up at that end. More often than not it turned out to be a misconfigured monitoring box (ever seen Whatsup at work?) OTOH I'll always defend your right to apply your opinion to your machines; if you want to get after someone who's portscanning your machines I won't stop you :) > > As a former network administrator I wasn't too worried about portscans > > unless they were followed up with actual connections. I also used > > portscans when needed to discover what users on the network were up to. > > Sure, but I hope you didn't let rip with them on other networks or sections > of network over which you didn't have control. We had a /18; I had plenty of IPs to keep an eye on. Some people were less cooperative than others. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Inc. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PGP signature
Re: i've been port scanned. now what
On Mon, Mar 05, 2001 at 11:37:17PM +0100, Szab? D?niel <[EMAIL PROTECTED]> wrote: > My packet filter ruleset catched somebody on port scanning one of our host. > He or she tryed to scan a very big port range from tcp 1 up to 32000 (think > with nmap), but my packet filter denied his/her queries (the kernel > generated 1 mb log in 3 minutes with the denied packets). I have his/her > ipv4 address, and i would like to ask, what should i do know? i figured out > from the ripe.net whois db, that the ip is owned by one of the ISP's from my > country, is it possible, that the scanner cracked the isp's machine, then > pushed the scan from there? The scanner is probably connected to the internet through that ISP. Your response to the scan should probably depend on your opinion on portscans in general. Some people believe portscans are only used by crackers. If you agree with them a possible response to the scan is sending a mail with the IP of the scanner, the exact time of the scan and any other information you think might be relevant to [EMAIL PROTECTED] On the other hand, if you agree with people who believe portscans have legitimate uses (like finding out if someone is providing an ftp-server) you should probably do nothing since the scan was very general and not targeted at ports that are likely to have exploitable services on them). This is my current point of view. There's been a discussion about portscans not to long ago on debian-security (and probably any security related mailinglist) btw. Finally, one note of warning: whatever you do, don't try to think of portscans in terms of what I'd call the '(breaking in to)/(looking at a) house'-metaphor. IMHO it does not provide a suitable mapping of the situation to one in real life at all and I find it rapidly becoming very anoying. Tim ps. This is *not* an invitation to start another discussion about portscans. The issue has been beaten to death already and I'm convinced a simple google search will provide excellent writings about all views on the subject. -- Tim van Erven [EMAIL PROTECTED] [EMAIL PROTECTED] -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: i've been port scanned. now what
Nathan E Norman <[EMAIL PROTECTED]> writes: [snip] > Well, that all depends ... do you consider port scanning criminal > activity or not? > > I do not - I think you should view a port scan as a possible indication > that someone intends to attack you. Agreed. > It's also possible that someone is just exploring. Then they need educating that scanning such a vast range of ports is an unacceptable definition of `exploring'. > As a former network administrator I wasn't too worried about portscans > unless they were followed up with actual connections. I also used > portscans when needed to discover what users on the network were up to. Sure, but I hope you didn't let rip with them on other networks or sections of network over which you didn't have control. What I'd suggest is that the OP applies a scale to it: a few ports scanned in succession is not worthwhile waking a net-admin up for; a few ports scanned multiple times over is getting more interesting; a large range of points also bumps up the `score'; a repetitive attack on many sensitive ports (111/tcp, 53/tcp, 21/tcp, you know the sort of thing) would have me on the 'phone to whoever was listed in `whois`. > You could always send an email to the ISP in question and ask them what > they think; whether they want a copy of the logs, etc. Agreed. By the above scaling system, it could be worse. Still, it's worthwhile asking `oi you, what's up, d'you mind?' or somesuch. ~Tim -- Roobarb and Custard let fly |[EMAIL PROTECTED] with their secret weapon.|http://spodzone.org.uk/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: i've been port scanned. now what
On Mon, Mar 05, 2001 at 11:37:17PM +0100, Szabó Dániel wrote: > Hello. > My packet filter ruleset catched somebody on port scanning one of our host. > He or she tryed to scan a very big port range from tcp 1 up to 32000 (think > with nmap), but my packet filter denied his/her queries (the kernel > generated 1 mb log in 3 minutes with the denied packets). I have his/her > ipv4 address, and i would like to ask, what should i do know? i figured out > from the ripe.net whois db, that the ip is owned by one of the ISP's from my > country, is it possible, that the scanner cracked the isp's machine, then > pushed the scan from there? Well, that all depends ... do you consider port scanning criminal activity or not? I do not - I think you should view a port scan as a possible indication that someone intends to attack you. It's also possible that someone is just exploring. As a former network administrator I wasn't too worried about portscans unless they were followed up with actual connections. I also used portscans when needed to discover what users on the network were up to. You could always send an email to the ISP in question and ask them what they think; whether they want a copy of the logs, etc. -- Nathan Norman - Staff Engineer | A good plan today is better Micromuse Inc. | than a perfect plan tomorrow. mailto:[EMAIL PROTECTED] | -- Patton PGP signature
Re: i've been port scanned. now what
On Mon, Mar 05, 2001 at 11:37:17PM +0100, Szab? D?niel wrote: > Hello. > My packet filter ruleset catched somebody on port scanning one of our host. > He or she tryed to scan a very big port range from tcp 1 up to 32000 (think > with nmap), but my packet filter denied his/her queries (the kernel > generated 1 mb log in 3 minutes with the denied packets). I have his/her > ipv4 address, and i would like to ask, what should i do know? i figured out > from the ripe.net whois db, that the ip is owned by one of the ISP's from my > country, is it possible, that the scanner cracked the isp's machine, then > pushed the scan from there? It's a lot more likely that the person that scanned you is simply one of the ISP's customers. The ISP owns the IPs they assign to their customers' machines. If all the guy did was scan, then don't do anything unless he does it again or something. If there were any signs of an actual attack, like sending nastygrams to your web server or something, then you should contact his ISP and show them the log. (My philosophy is that portscanning is more or less innocent and curiosity driven, and so shouldn't be punished unless it causes a DoS or something. If you feel otherwise, you might want to show the logs you have to the scanner's ISP, with timestamp, so they can figure out who had that IP at that time. I think that would be going to more trouble than it's worth, though.) -- #define X(x,y) x##y Peter Cordes ; e-mail: X([EMAIL PROTECTED] , ns.ca) "The gods confound the man who first found out how to distinguish the hours! Confound him, too, who in this place set up a sundial, to cut and hack my day so wretchedly into small pieces!" -- Plautus, 200 BCE -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
i've been port scanned. now what
Hello. My packet filter ruleset catched somebody on port scanning one of our host. He or she tryed to scan a very big port range from tcp 1 up to 32000 (think with nmap), but my packet filter denied his/her queries (the kernel generated 1 mb log in 3 minutes with the denied packets). I have his/her ipv4 address, and i would like to ask, what should i do know? i figured out from the ripe.net whois db, that the ip is owned by one of the ISP's from my country, is it possible, that the scanner cracked the isp's machine, then pushed the scan from there? Thanks, Daniel -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]