LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] logwatch - should I be worried?

[ILUG] logwatch - should I be worried?

Timothy Murphy tim at birdsnest.maths.tcd.ie
Sun Jul 17 15:32:27 IST 2005 

On Sun 17 Jul 2005 13:25, Niall O Broin wrote:

> > Most of these are targeted at ports 1026, 1027
> > which I take to be some kind of ssh or ssl attack.
>
> No - Calendar Access Protocol and ExoSee respectively - grep for the
> number in /etc/services. ExoSee is some kind of personal file sharing
> system, and I presume there is some Microsoft vulnerability on certain
> machines providing CAP access.

Thanks for the correction.

> > My question is, Should I be worried?
>
> No - but you should be annoyed that these scumbags are interfering in
> your life. You can spend the time trying to report them to their ISPs
> but TBH it's pointless.

I've tried a couple of times emailing complaints
to addresses in China and Korea,
but as you say it has not been fruitful.

> > Is there any chance that this attack will succeed at some point?
>
> Yes, yes there is. All you need to do is
> a) Have a Windows box inside your LAN running the vulnerable software.
> b) Have your Shorewall box forwarding 1026 and 1027 to that Windows box.

Well, as far as I can see, these packets are rejected as soon as they arrive,
so I don't think they could get to my grand-daughter's Windows machine.

> Just make sure that your Shorewall only allows in just what you want,
> and that the services thus exposed to the world are secure. You're most
> likely doing that already. To check that, from a box in the outside
> world, run
>
> nmap  publicIP.of.your.firewall
>
> and check that all ports shown as open are intentionally open.

Thanks for the suggestion.
I've tried it out, and got quite a long list of ports:
===================================
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2005-07-17 15:24 BST
Interesting ports on 83-70-225-169.b-ras1.prp.dublin.eircom.net 
(83.70.225.169):
(The 1020 ports scanned but not shown below are in state: closed)
PORT      STATE    SERVICE
110/tcp   filtered pop3
143/tcp   filtered imap
...
65301/tcp filtered pcanywhere

Nmap run completed -- 1 IP address (1 host up) scanned in 62.307 seconds
===================================

All of the ports say "filtered".
Does that mean I'm safe?


-- 
Timothy Murphy  
e-mail (<80k only): tim /at/ birdsnest.maths.tcd.ie
tel: +353-86-2336090, +353-1-2842366
s-mail: School of Mathematics, Trinity College, Dublin 2, Ireland

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell