Logcheck Alert Questions

jay jay at musubi.org
Tue Jun 19 14:32:53 PDT 2001 

unless you're running a dns server or an ftp server, there is no
good reason for those boxes to be hitting you on those ports.

111 is for portmapper.  there were a bunch of rpc.statd exploits
released a while ago, so this may be script kid type activity.

ohmygod, i have such a craving for poke right now.
spicy ahi poke.

aaaaaaaaaaaaagh.

anyone got a good recipe?

=jay

On Tue, 19 Jun 2001, Erich S. wrote:

> Hiya Folks!
>
> I've jut recently installed logcheck and portsentry on a test machine and
> although I was expecting to see a bit of scan activity notices, I was a
> bit suprised at how many are showing up. Before getting too paranoid I was
> wondering if these are really probes, or I'm just picking up 'noise'.
>
> Port 111 seems to be popular. I've noticed quite a few scans from what
> appear to be DNS servers to my port 53. Is it normal for them to try and
> talk to my box on this port? (Port 53 is DNS right?) Are that many
> machines out there 'owned'...*yikes*
>
> Below is a snippet from logchecks email to me.
>
> Active System Attack Alerts
> =-=-=-=-=-=-=-=-=-=-=-=-=-=
> Jun 19 07:24:39 mako portsentry[20214]: attackalert: UDP scan from host: 198.64.193.60/198.64.193.60 to UDP port: 53
> Jun 19 07:24:39 mako portsentry[20214]: attackalert: Host 198.64.193.60 has been blocked via wrappers with string: "ALL: 198.64.193.60"
> Jun 19 07:24:39 mako portsentry[20214]: attackalert: Host 198.64.193.60 has been blocked via dropped route using command: "/sbin/ipchains -I input -s 198.64.193.60 -j DENY -l"
> Jun 19 07:29:46 mako portsentry[20212]: attackalert: SYN/Normal scan from host: ADSLP1-PT-p8.adsl.netvision.net.il/212.143.55.8 to TCP port: 21
> Jun 19 07:29:46 mako portsentry[20212]: attackalert: Host 212.143.55.8 has been blocked via wrappers with string: "ALL: 212.143.55.8"
> Jun 19 07:29:46 mako portsentry[20212]: attackalert: Host 212.143.55.8 has been blocked via dropped route using command: "/sbin/ipchains -I input -s 212.143.55.8 -j DENY -l"
>
> Thanks in advance for any links to more info or explanations!
>
> Aloha,
> 	Sharky
>
>
> ---
> You are currently subscribed to luau as: jay at musubi.org
> To unsubscribe send a blank email to $subst('Email.Unsub')
>

More information about the LUAU mailing list