Date: Fri, 12 Feb 1999 12:34:29 +1100 (EST) From: Rowan Crowe <rowan@sensation.net.au> To: freebsd-isp@FreeBSD.ORG Subject: Re: Someone sent me a security notice Message-ID: <Pine.BSF.4.01.9902121228430.24139-100000@velvet.sensation.net.au> In-Reply-To: <36C37B77.4AD78E47@tsuzuki.ne.jp>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 12 Feb 1999, tetsuhiro wrote: > Yesterday I got a following message from someone via email. > I don't know who he/she is. > > xxx@xxx.net wrote: > > from our log files: > > > >Feb 9 12:14:39 smoke kernel: IP fw-in deny eth1 UDP 152.226.76.37:1277 >206.30.145.4:31337 L=46 > >S=0x00 I=1816 F=0x0000 T=108 Back orifice probe. > > > > Times are -0500. Please investigate this matter and take appropriate action. > > What should I do? > Frankly speaking I can not understand what he/she wrote. He/she is asking you to track down the source of the probe (152.226.76.37) and possibly the account if it's dialup, and caution the offender. > I'd like to know he/she got my email address also. Probably admin/abuse@yourisp I'm surprised you haven't come across this before... To get on topic: I have UDP port 31337 in either direction blocked with ipfw, so it catches both external attacks on my clients, plus any of my clients trying to attack others. Thankfully they're mostly well behaved and the latter has happened about twice in a year. Can't say the same for the former. :-( I have a script which runs every 5 mins that greps /var/log/messages for ipfw: entries and diffs it with the previously stored entries, then emails me any differences. This way I get an email notification relatively soon after the event, and it's an easy matter to reply to the email and change the destination address to the appropriate address to report the attack to the offender's ISP. Cheers. -- Rowan Crowe Sensation Internet Services, Melbourne Aust fidonet: 3:635/728 +61-3-9388-9260 http://www.rowan.sensation.net.au/ http://www.sensation.net.au/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.01.9902121228430.24139-100000>