TCLUG Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [TCLUG:5611] Looks like real attack !???!!??! (fwd)
Sorry, here it is:
[lueyb@pclueyb lueyb]$ netstat -a |grep LISTEN
tcp 0 0 *:4878 *:* LISTEN
tcp 0 0 *:3963 *:* LISTEN
tcp 0 0 *:nterm *:* LISTEN
tcp 0 0 *:6000 *:* LISTEN
tcp 0 0 *:7100 *:* LISTEN
tcp 0 0 *:www *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
tcp 0 0 *:printer *:* LISTEN
tcp 0 0 *:1024 *:* LISTEN
tcp 0 0 *:923 *:* LISTEN
tcp 0 0 *:22 *:* LISTEN
tcp 0 0 pclueyb:domain *:* LISTEN
tcp 0 0 localhost:domain *:* LISTEN
tcp 0 0 *:auth *:* LISTEN
tcp 0 0 *:time *:* LISTEN
tcp 0 0 *:finger *:* LISTEN
tcp 0 0 *:telnet *:* LISTEN
tcp 0 0 *:ftp *:* LISTEN
tcp 0 0 *:5680 *:* LISTEN
tcp 0 0 *:sunrpc *:* LISTEN
unix 0 [ ACC ] STREAM LISTENING 152
/tmp/.iroha_unix/IROHA
unix 0 [ ACC ] STREAM LISTENING 11639571
/home/lueyb/.x11amp/x11amp_ctrl.0
unix 0 [ ACC ] STREAM LISTENING 387 /tmp/.X11-unix/X0
unix 0 [ ACC ] STREAM LISTENING 164 /dev/log
unix 0 [ ACC ] STREAM LISTENING 5460191
/tmp/orbit-lueyb/orb-1995208006357377263
unix 0 [ ACC ] STREAM LISTENING 350 fs7100
unix 0 [ ACC ] STREAM LISTENING 8991924
/tmp/.ki2-unix/_0-ja_JP
unix 0 [ ACC ] STREAM LISTENING 290 /dev/printer
On Wed, 28 Apr 1999, Nathan Ahlstrom wrote:
>
> Upper case LISTEN. ;-)
>
> It looked like it because from the netstat output you sent below they hit
> 4755, 4756, 4757 all at the same time. It is either a port scan or a
> denial of service attack. I would log the times that attack happened and
> the ip address of the attacker and report it to the postmaster/root person
> at the domain (use whois domain.name to figure this out).
>
> How about netstat -a | grep -i LISTEN
>
> Ben Luey <lueyb@carleton.edu> wrote:
> > Is it merely a port scan?
> >
> > [lueyb@pclueyb lueyb]$ netstat -a |grep listen
> > tcp 0 0 localhost:7100 localhost:listen
> > ESTABLISHED
> > tcp 0 0 localhost:listen localhost:7100
> > ESTABLISHED
> > [lueyb@pclueyb lueyb]$
> >
> > On Wed, 28 Apr 1999, Nathan Ahlstrom wrote:
> >
> > > LUEYB@carleton.edu wrote:
> > > > I just got 100 lines of this from netstae and so I took off eth0 and
> > > > put it back on another ip without dhcp (no direct outside access and
> > > > sysadmin will be mad, but now I don't have to worry). What should I
> > > > do / is this important? --AHHH
> > > >
> > > > [lueyb@pclueyb lueyb]$ netstat -an
> > > > Active Internet connections (including servers)
> > > > Proto Recv-Q Send-Q Local Address Foreign Address State
> > > > tcp 0 1 137.22.96.160:4757 205.134.240.199:316
> > > > SYN_SENT
> > > > tcp 0 1 137.22.96.160:4756 205.134.240.199:848
> > > > SYN_SENT
> > > > tcp 0 1 137.22.96.160:4755 205.134.240.199:355
> > >
> > > Looks like they are running a portscan to see if you have any vulnerable
> > > servcies running? What services do you have running?
> > > 'netstat -a | grep LISTEN'
> > >
> > > --
> > > Nathan Ahlstrom FreeBSD: http://www.FreeBSD.org/
> > > nrahlstr@winternet.com PGP Key ID: 0x67BC9D19
> > >
> >
> > Ben Luey
> > lueyb@carleton.edu
> > ICQ: 19144397
> >
> > Two wrongs don't make a right, but three left turns sure do. -- Jim Hightower
>
> --
> Nathan Ahlstrom FreeBSD: http://www.FreeBSD.org/
> nrahlstr@winternet.com PGP Key ID: 0x67BC9D19
>
Ben Luey
lueyb@carleton.edu
ICQ: 19144397
Eagles can soar, but weasels don't get sucked into jet engines -- Unknown