From owner-freebsd-isp  Thu Feb 11 17:40:52 1999
Return-Path: <owner-freebsd-isp@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id RAA23006
          for freebsd-isp-outgoing; Thu, 11 Feb 1999 17:40:52 -0800 (PST)
          (envelope-from owner-freebsd-isp@FreeBSD.ORG)
Received: from velvet.sensation.net.au (serial0-velvet.Brunswick.sensation.net.au [203.20.114.195])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id RAA22996
          for <freebsd-isp@freebsd.org>; Thu, 11 Feb 1999 17:40:47 -0800 (PST)
          (envelope-from rowan@sensation.net.au)
Received: from localhost (rowan@localhost)
	by velvet.sensation.net.au (8.8.8/8.8.8) with SMTP id MAA27663
	for <freebsd-isp@freebsd.org>; Fri, 12 Feb 1999 12:34:32 +1100 (EST)
	(envelope-from rowan@sensation.net.au)
X-Authentication-Warning: velvet.sensation.net.au: rowan owned process doing -bs
Date: Fri, 12 Feb 1999 12:34:29 +1100 (EST)
From: Rowan Crowe <rowan@sensation.net.au>
To: freebsd-isp@FreeBSD.ORG
Subject: Re: Someone sent me a security notice
In-Reply-To: <36C37B77.4AD78E47@tsuzuki.ne.jp>
Message-ID: <Pine.BSF.4.01.9902121228430.24139-100000@velvet.sensation.net.au>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-isp@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, 12 Feb 1999, tetsuhiro wrote:

> Yesterday I got a following message from someone via email.
> I don't know who he/she is.
> 
> xxx@xxx.net wrote:
> >  from our log files:
> >
> >Feb  9 12:14:39 smoke kernel: IP fw-in deny eth1 UDP 152.226.76.37:1277 >206.30.145.4:31337 L=46
> >S=0x00 I=1816 F=0x0000 T=108

Back orifice probe.

> >
> >  Times are -0500.  Please investigate this matter and take appropriate action.
> 
> What should I do?
> Frankly speaking I can not understand what he/she wrote.

He/she is asking you to track down the source of the probe (152.226.76.37)
and possibly the account if it's dialup, and caution the offender.

> I'd like to know he/she got my email address also.

Probably admin/abuse@yourisp

I'm surprised you haven't come across this before...

To get on topic: I have UDP port 31337 in either direction blocked with
ipfw, so it catches both external attacks on my clients, plus any of my
clients trying to attack others. Thankfully they're mostly well behaved
and the latter has happened about twice in a year. Can't say the same for
the former. :-(

I have a script which runs every 5 mins that greps /var/log/messages for
ipfw: entries and diffs it with the previously stored entries, then emails
me any differences. This way I get an email notification relatively soon
after the event, and it's an easy matter to reply to the email and change
the destination address to the appropriate address to report the attack to
the offender's ISP.

Cheers.


--
Rowan Crowe                     Sensation Internet Services, Melbourne Aust
fidonet: 3:635/728                                          +61-3-9388-9260
http://www.rowan.sensation.net.au/             http://www.sensation.net.au/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message