From owner-freebsd-security  Thu May 31  5:15:23 2001
Delivered-To: freebsd-security@freebsd.org
Received: from hotmail.com (f45.law3.hotmail.com [209.185.241.45])
	by hub.freebsd.org (Postfix) with ESMTP id 40C3B37B43F
	for <security@FreeBSD.ORG>; Thu, 31 May 2001 05:15:20 -0700 (PDT)
	(envelope-from secure21st@hotmail.com)
Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
	 Thu, 31 May 2001 05:15:20 -0700
Received: from 32.103.39.196 by lw3fd.law3.hotmail.msn.com with HTTP;	Thu, 31 May 2001 12:15:20 GMT
X-Originating-IP: [32.103.39.196]
From: "WebSec WebSec" <secure21st@hotmail.com>
To: security@FreeBSD.ORG
Subject: Port 21
Date: Thu, 31 May 2001 12:15:20 -0000
Mime-Version: 1.0
Content-Type: text/html
Message-ID: <F45opYC98Bi89QtpfTY000063a4@hotmail.com>
X-OriginalArrivalTime: 31 May 2001 12:15:20.0164 (UTC) FILETIME=[5C3F0240:01C0E9CB]
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

<html><DIV>
<DIV>
<P><FONT face=Helv color=#000000 size=2>This past weekend my IDS and&nbsp; honey pot picked-up stealth scans on port 21 to port 21.</FONT></P>
<P><FONT face=Helv size=2>I used a number of tools to "trace" IPs of scanners and they all pointed towards an asian organization.&nbsp; (Understanding limitations of TCP, I do not think anyone will state that this means anything :( )</FONT></P>
<P><FONT face=Helv size=2>One of the honeypots was on a DSL assigned sub-net.&nbsp;IT makes me think that whoever scanned me was after residential computers.&nbsp; (this&nbsp; is no different from others except for IDS installed :) )</FONT></P>
<P><FONT face=Helv size=2>In my case all scans were "stealth".</FONT></P>
<P><FONT face=Helv size=2>Also, in my opinion it may not be a good idea to provide real IPs (at least in this list) because you never know how you can tip someone.&nbsp; Yes, this is "security" by obscurity, but....</FONT></P>
<P><FONT face=Helv size=2>Hope this helps.</FONT></P>
<P><FONT face=Helv size=2></FONT>&nbsp;</P>
<P><FONT face=Helv size=2></FONT>&nbsp;</P>
<P><FONT face=Helv size=2>---------------------------------------------------------------------------------------------------------------------------------------------</FONT></P>
<P><FONT face=Helv color=#000000 size=2>My opinion is that unknown scanner was hoping to meet one of those admins who still use remote port of TCP/UDP packet as filter in</P>
<DIR>
<P>their firewall rules (like this: "ipfw allow tcp from any 21").</P>
<P>NKritsky - SysAdmin InternetHelp.Ru</P>
<P>http://www.internethelp.ru</P>
<P>e-mail: nkritsky@internethelp.ru</P>
<P>&nbsp;</P>
<P>&nbsp;</P>
<P>-----Original Message-----</P>
<P>From: Lim Seng Chor &lt;Lim.Seng.Chor@sit.edu.my&gt;</P>
<P>To: freebsd-security@FreeBSD.ORG &lt;freebsd-security@FreeBSD.ORG&gt;</P>
<P>Date: 31 мая 2001 г. 13:01</P>
<P>Subject: port 21</P>
<P>&nbsp;</P>
<P>my kernel message showing:</P>
<P>Connection attempt to TCP 202.184.64.29:21 from</P>
<P>213.137.2.195:21</P>
<P>anyone can explain why 213.137.2.195 can use port 21 to connect</P>
<P>to my ftp port but not random port above 1024?</P>
<P>To Unsubscribe: send mail to majordomo@FreeBSD.org</P>
<P>with "unsubscribe freebsd-security" in the body of the message</P>
<P>&nbsp;</P>
<P>&nbsp;</P>
<P>To Unsubscribe: send mail to majordomo@FreeBSD.org</P>
<P>with "unsubscribe freebsd-security" in the body of the message</P></DIR></FONT></DIV></DIV><br clear=all><hr>Get your FREE download of MSN Explorer at <a href="http://explorer.msn.com">http://explorer.msn.com</a><br></p></html>

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message