Date: Sat, 24 Feb 2001 09:55:55 +0100 From: "Andre Goeree" <abgoeree@uwnet.nl> To: Matthew West <mwest@uct.ac.za> Cc: chat@freebsd.org Subject: Re: When will script kiddies ever learn? Message-ID: <20010224095555.A681@mandark.attica.home> In-Reply-To: <20010224025203.A97408@apotheosis.org.za>; from mwest@uct.ac.za on Sat, Feb 24, 2001 at 02:52:03AM %2B0200 References: <20010224014042.A39092@mandark.attica.home> <20010224025203.A97408@apotheosis.org.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Feb 24, 2001 at 02:52:03AM +0200, Matthew West wrote: > On Sat, Feb 24, 2001 at 01:40:42AM +0100, Andre Goeree wrote: > > Nice, look what happened while fetching ports: > > > > Feb 24 01:17:24 mandark /kernel: ipfw: 2200 Deny TCP 205.241.169.135:80 213.227.140.238:2049 in via tun0 > > Feb 24 01:17:36 mandark last message repeated 4 times > > > > Script kiddies? Who else would be stupid enough to look for a nfs > > server. > > Hrm, 205.241.169.135 resolves to ns2.davidv.net, which, if you point > your browser to it, has quite a FreeBSD centric web page. Well, this must have something to do with the flaky DNS of my ISP :-( I *always* do a host lookup twice or three times before drawing my conclusions (too soon as it appears...). If it says "host not found" or resolves to some "dynamic ip" like my own, you know there's something going on. Next is to "ipfw add 50 deny" the IP out of my world and see what happens. If it breaks something i'm doing i would know it immediately but, i caught it a little late this time, read below ... Now you mention it, i've been browsing http://www.davidv.net (cool site :-) while fetching ports..... Ehhhhhh, ooops? :-} > > Are you sure you weren't perhaps fetching port distfiles from there > somewhere? Or just browsing the page? Hmm, i caught it a little late this time. Normally i keep an eyeball on my xconsole as soon as i stay longer online than 5 min. Because 99% of the times nothing (or something explainable) happens, i got a little sloppy about this good habit. > > If you weren't, then you might want to drop the domain owner a note > that his machine's being used to do scans. Judging by it's name, my > money's on them having used a bind exploit to get in. > Well, i can't be sure about that this time.. I think i will cook up something that rings the bell if something suspicious happens (i have some cool sounds for this :-). > I can't get an answer from the machine with "dig" though. > That's what made me think this was an incident in the first place. Andre. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010224095555.A681>