From owner-freebsd-security Sun Apr 22 18:42: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.fdma.com (mail.fdma.com [216.241.67.73]) by hub.freebsd.org (Postfix) with ESMTP id 460E637B422 for ; Sun, 22 Apr 2001 18:41:59 -0700 (PDT) (envelope-from scheidell@fdma.com) Received: from MIKELT (mikelt.fdma.lan [192.168.3.5]) by mail.fdma.com (8.11.3/8.11.3) with SMTP id f3N1fhg63633 for ; Sun, 22 Apr 2001 21:41:44 -0400 (EDT) Message-ID: <003a01c0cb96$8d660420$0503a8c0@fdma.com> From: "Michael Scheidell" To: References: <20010423111824.A11827@gumbynet.org> Subject: Re: Connection attempts Date: Sun, 22 Apr 2001 21:41:15 -0400 Organization: Florida Datamation, Inc. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org all those darn linux 6.2 system. They should be replaced with rocks. ----- Original Message ----- From: "Tim Kent" Newsgroups: local.freebsd.security Sent: Sunday, April 22, 2001 9:18 PM Subject: Connection attempts > Hey all, > > Over the last few days I have noticed many people trying to connect to port 111 (portmapper). > I don't run portmapper but I have log in vain enabled. Are these people going crazy with rpcinfo or what? > > I have attached the related output from dmesg but have changed my IP: You can look up the 'attackers' to see if they have attacked others at: http://www.mynetwatchman.com/mynetwatchman/SearchOpenIncidents.asp you can DL a copy of the freebsd / ipfw also. > > Connection attempt to TCP phoenix:111 from 213.236.151.240:4912 had attacked at least 7 other computers since the 13th. > Connection attempt to TCP phoenix:111 from 203.250.123.237:3278 One other on the 20th. > Connection attempt to TCP phoenix:111 from 203.197.150.162:63525 > Connection attempt to TCP phoenix:111 from 203.197.150.162:63525 > Connection attempt to TCP phoenix:111 from 203.197.150.162:64156 persistent bugger, eh? no others listed (if you ran the mnwclient, then nynetwatchman would have larted the isp for you) > Connection attempt to TCP phoenix:111 from 24.182.49.154:4078 @home cable user, attacked someone on the 18th and @home sent email on the 19th. > Connection attempt to TCP phoenix:111 from 210.207.57.166:4719 bora.net: lots of attacks must be infected > Connection attempt to TCP phoenix:111 from 208.53.106.140:3845 look up any others. you would be amazed how far and wide these hack attacks range. 80% of them are compromised linux systems (that went unreported... hint... hint) and are now hacking into other systems. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message