[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Portsentry & Hack Attempt
- Subject: Re: [cobalt-users] Portsentry & Hack Attempt
- From: flash22@xxxxxxx
- Date: Sun Mar 4 23:05:01 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
On Mon, 5 Mar 2001, Steve Buza wrote:
> Hi,
>
> Sorry, this is a bit long, but what does the following log entry tell you?
> nnn.nnn.nnn.nnn is of course the same IP address fo each of the entries in
> the Portsentry log. Add to this that this IP address is actually one of
> mine. It is in my dialup modem pool. And, I have a RADIUS log that shows a
> specific user logging in on this IP address at 11:26:04 and logging out at
> 11:45:15.
>
> What should I do about/with this information? Should I just disable the
> account. Should I report it to someone, and if so, who?
Well, no question someone portscanned your machine, tho , they either
didn't have a very good tool, or didn't know how to use it (i can port
scan you and you will never know unless you are running something advanced
like snort ;), or they didn't care if you noticed...
The set of ports scanned tells me they did 2 things,
they were trying to get an OS signature (the set of low ports highly
likely to be open, netstat,finger,txpmux) and they were looking at some
exploitable ports, tho not many, and not the ones i'd expect from a
concerted attack. (However if you are using portsentry , and it's in
normal mode, it only noted the small set of ports it's set to watch, you
you may have missed a great many ports, and in fact i think this is the
case, note the time lag between the last 2 ports)
The problem here is you don't know intent, did
they find some kiddie script and run it? or were they just playing with
something with no real intention of doing anything? or was their machine
compromised and it happened under remote control. Without live packet
logging at the router you aren't going to be able to easily answer the
last question. If the last is true, you need to tell them, they may have
no idea something nasty is living on their computer, but if they are up to
mischief, your best bet may be to not say anything for a while and log
packets...
The other issue is do you have an AUP that prohibits portscanning/IP
walking, if you don't you might consider doing so, you can always ignore
enforcing it, but you can't easily enforce it if you don't have it -/
Last i would note that port scans can be legitimite in some cases, eg
verifying that a machine is/isn't compromised, i don't recomment most
people do this without understanding the conciquences, and potential side
effects, but it is occasionally done, and has no evil intent.
(and in the us it appears that it is in fact legal)
Personally, i'd call them and tell them you know all about their portscan
and tell them it's not permitted behaviour, if it's some 10 year old kid
that should scare the bejeepers out of them and probably prevent
further mischief ;)
This is remarkably effective when the person doing funky things is a kid.
(Quoting the federal anti-hacking law is fun too ;)
(don't email them, mommy will never see the email-)
gsh
> Mar 3 11:27:22 SYN/Normal scan from host: nnn.nnn.nnn.nnn to TCP port: 635
> Mar 3 11:27:45 SYN/Normal scan from host: nnn.nnn.nnn.nnn to TCP port: 1080
ps: you might consider port forwarding *all* outgoing traffic from dialup
from a few 'odd' ports to some other machine that can note the pecular
activity, for example, it's pretty rare these days for anyone to have
public nfs/rpc services, even if it's only a configuration error on the
part of a dialup user, at least you get a hint somethign weird is
happening) and i hope you block netbios -/