From owner-freebsd-security Wed Mar 1 11:20:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id AFD2C37BD88 for ; Wed, 1 Mar 2000 11:20:06 -0800 (PST) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (2366 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Wed, 1 Mar 2000 13:16:32 -0600 (CST) (Smail-3.2.0.106 1999-Mar-31 #1 built 1999-Aug-7) Date: Wed, 1 Mar 2000 13:16:32 -0600 (CST) From: James Wyatt To: cjclark@home.com Cc: freebsd-security@freebsd.org Subject: Re: @Home Server Scanner? In-Reply-To: <20000301113847.B37590@cc942873-a.ewndsr1.nj.home.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You aren't the only one who's swearing at it. 8{) @Home had so many folks (users and cable companies) with security holes installed (esp broken default WinGate settings!) that it reached critical mass. When threatened with a UDP (UseNet Death Penalty where their news peers would disconnect from them), they suddenly had a scanner working and were cleaning up shop with a *big* mop. A lot of local cable companies had NNTP proxies that were wide open - meaning zero-admin for them, but open relays for spamming. Various other holes have been exploited for DDoS purposes. Think of all those Windows/Linux/etc machines out there with security holes, constant decent connection, and eternal power as a Matrix for running a DDoS simulation or DES keyspace carve-up-and-crack... I've gotta watch that movie again... (^_^) I applaud their efforts to tighten their affiliates' infrastructures and the great numbers of client machines. Now if we can get the DSL ISPs to check once in a while or look for attacks, we'll all be better off. - Jy@ On Wed, 1 Mar 2000, Crist J. Clark wrote: > I appear to be scanned regularly by an @Home host, > > Name: ops-scan.home.net > Address: 24.0.94.130 > > It has been scanning my NNTP (119) port several times a day since the > beginning of February. Previous to that, it liked to check my HTTP > port (80) several times a day. That behavior dates to when I started > logging on the firewall in January. > > Anyone know anything about that host? Any other @Home users seeing > this too? My assumption is that it is @Home scanning for "illegal" > servers on their network. > > This machine has earned a, > > deny log ip from 24.0.94.130 to any > > In my firewall for now. > -- > Crist J. Clark cjclark@home.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message