On Tue, Jul 06, 1999 at 04:33:31AM -0500, Thomas Cameron wrote:
| That they scan is not a rumor. From my logs:
...
Yup. They scan.
| The cpusge.mediaone.net machine is one of our corporate resources. We
| apologize for any inconvenience or concern this may have caused. Due to the
| large number of users running wide open proxies, which hackers can use as
| jump points to send SPAM, hack, etc., it is necessary to search for any open
| proxies in an attempt to locate, and have our customers secure their proxy
| servers before any problems arise.
Sounds good, but let's list what they probe for -
telnet, ftp, www, smtp, netbus (on the default port)
if they *really* were trying to probe for open proxies, you'd think
they'd check port 1080 ... but last I checked, they don't. (Though
some socks proxies can be found on the telnet port too, of course.)
They also don't seem to probe for Back Orifice (at least not on it's
default port. Probably because they couldn't figure out how to probe
UDP.)
I'm not sure what they try to do with the other ports, but with
sendmail they try to relay through it -
Mar 1 21:11:10 algol sendmail[10593]: VAA10593: ruleset=check_rcpt,
[EMAIL PROTECTED], relay=cpusge.mediaone.net [24.128.6.200], reject=471
[EMAIL PROTECTED] Relaying denied
Personally, my answer was to just firewall all traffic from that
subnet - but I do still see them knocking from time to time.
--
Doug McLaren, [EMAIL PROTECTED]
---------------------------------------------------------------------------
Send administrative requests to [EMAIL PROTECTED]
