LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] LogWatch: rebuke to ILUG gurus

[ILUG] LogWatch: rebuke to ILUG gurus

Owen Connolly ojc at networkarchitects.ie
Mon Feb 14 13:08:10 GMT 2005 



How do you think worms, etc spread?  Of course they go around randomly 
knocking on ports to see if they're open...  Try putting an unpatched 
IIS box on an open pipe and count the seconds until it's hit...  Average 
life expectancy is around seven minutes...

Any port can be used by any service/daemon, legitimate or otherwise... 
In fact you can replace a legitimate service on a box with something 
nefarious very easily... If you allow web access to your box thru your 
firewall and I have an exploit for your type of web server, I can make 
your machine connect back out to an ftp box of my choice, download my 
favourite rootkit/backdoor or just good old-fashioned netcat and then 
run this bound to a port that's already allowed through your firewall, 
i.e. ssh tcp 22.

I would suggest that you do a little bit of reading at 
www.securityfocus.com and in particular search for rootkits, backdoors 
and zombies...

As for not highlighting what you found through google, maybe you should 
have googled first and asked questions later... Specific questions get 
specific answers! ;-)

Cheers,

ojc


Timothy Murphy wrote:

>I asked a little while ago about interpreting LogWatches,
>and was surprised that none of the responses highlighted
>what now seems to me - after a little googly research - the essential point,
>namely that what matters is not the IP address of dropped packets
>but the port they are trying to access.
>For example, I see that in yesterdays LogWatch
>about one fifth of the 157 dropped packets targetted port 15118,
>which I see from <http://www.linklogger.com/commonscans.htm>
>is a DipnetOddbob worm.
>
>About half the ports targetted seem associated to known attacks.
>The remainded seem mostly to consist of scans from one address
>targetting a large range of ports, eg 63 packets from 62.73.129.165
>scanning ports in the 32000 range.
>Why would anyone try that?
>
>
>
>
>  
>

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell