I have a little .wav from the game "Kingpin" play whenever portsentry blocks somebody doing a little scan on my system ("You got close, but didn't make it!" it sez)
Well, i was woken up about 20 times last night as my computer kept screaming this out throughout the wee hours of the morning.

Check this out

966141822 - 08/12/2000 21:43:42 Host: 211.51.151.132/211.51.151.132 Port: 12345 TCP Blocked
966143449 - 08/12/2000 22:10:49 Host: 211.41.38.180/211.41.38.180 Port: 12345 TCP Blocked
966144047 - 08/12/2000 22:20:47 Host: 210.183.173.18/210.183.173.18 Port: 12345 TCP Blocked
966144124 - 08/12/2000 22:22:04 Host: 211.54.227.92/211.54.227.92 Port: 12345 TCP Blocked
966144406 - 08/12/2000 22:26:46 Host: 210.220.117.182/210.220.117.182 Port: 12345 TCP Blocked
966145305 - 08/12/2000 22:41:45 Host: 210.221.194.173/210.221.194.173 Port: 12345 TCP Blocked
966145781 - 08/12/2000 22:49:41 Host: 211.44.114.181/211.44.114.181 Port: 12345 TCP Blocked
966151657 - 08/13/2000 00:27:37 Host: 211.187.233.65/211.187.233.65 Port: 12345 TCP Blocked
966155536 - 08/13/2000 01:32:16 Host: 210.206.186.38/210.206.186.38 Port: 12345 TCP Blocked
966157969 - 08/13/2000 02:12:49 Host: 211.62.227.195/211.62.227.195 Port: 12345 TCP Blocked
966158454 - 08/13/2000 02:20:54 Host: 210.123.139.128/210.123.139.128 Port: 12345 TCP Blocked
966159882 - 08/13/2000 02:44:42 Host: ppp172.adelaide.on.net.au/203.26.95.172 Port: 12345 TCP Blocked
966160053 - 08/13/2000 02:47:33 Host: 211.61.196.204/211.61.196.204 Port: 12345 TCP Blocked
966162048 - 08/13/2000 03:20:48 Host: 211.32.15.214/211.32.15.214 Port: 12345 TCP Blocked
966162534 - 08/13/2000 03:28:54 Host: 211.75.58.251/211.75.58.251 Port: 12345 TCP Blocked
966164918 - 08/13/2000 04:08:38 Host: 211.117.109.236/211.117.109.236 Port: 12345 TCP Blocked
966167374 - 08/13/2000 04:49:34 Host: 210.220.136.205/210.220.136.205 Port: 12345 TCP Blocked
966170436 - 08/13/2000 05:40:36 Host: 211.179.170.154/211.179.170.154 Port: 12345 TCP Blocked
966171041 - 08/13/2000 05:50:41 Host: 211.176.34.234/211.176.34.234 Port: 12345 TCP Blocked
966171596 - 08/13/2000 05:59:56 Host: 211-116-110-40.panworldnet.com/211.116.110.40 Port: 12345 TCP Blocked
966172438 - 08/13/2000 06:13:58 Host: h00a0243311b4.ne.mediaone.net/24.147.84.191 Port: 12345 TCP Blocked
966173558 - 08/13/2000 06:32:38 Host: 211.44.155.38/211.44.155.38 Port: 12345 TCP Blocked
966174123 - 08/13/2000 06:42:03 Host: 210.109.18.69/210.109.18.69 Port: 12345 TCP Blocked
966175373 - 08/13/2000 07:02:53 Host: 203.232.77.162/203.232.77.162 Port: 12345 TCP Blocked
966176098 - 08/13/2000 07:14:58 Host: 211.168.64.92/211.168.64.92 Port: 12345 TCP Blocked
966176473 - 08/13/2000 07:21:13 Host: 211.45.197.243/211.45.197.243 Port: 12345 TCP Blocked
966178635 - 08/13/2000 07:57:15 Host: 211.59.225.29/211.59.225.29 Port: 12345 TCP Blocked

It all seems to be eminating from the same network of sorts, and it all is looking for port 12345. I think this is the default port for netbus, what the heck is goin on?
Has anybody else witnessed a sudden increase of port scans?

Actually it's been really freaking quite here on cable. Which is really unusual. The only entries I find are from my ISP. Other than that, it's been really quiet. It's kinda eerie in a way. Because 2 months ago I was getting hits 3-4 times a day. Of course about 2 months ago I stopped using ICQ to so that may have something to do with it. I would ask my nieghbor but his NT box still can't get online.....

I AM on cable... that is what is weird. I have been on cable for about 2 years now, and this little rash of attacks has been the first I have seen (other than the authorized-scan.security.home.net checking for innd at port 119)

for a brief moment i thought it may have been due to my recent installation of napster and icq on the windows side of this boot.

However, i just booted back into win98 and ran Purge-it (http://www.purge-it.com) after starting napster and icq. And luckily none of these ports that are being scanned show up as listening. So it is just a rash of people out there scanning the world for trojans.
farging bastages.

Yes, isn't that interesting, and they are all in asia, Korea, mostly. I have been sending logsnips back to abuse@ whatever. Lots of it, too. http://www.linuxnewbie.org/ubb/smile.gif Look at FTP attempts, too, people with no passwords, at all, in here. SEND MAIL to the ISP, with times and proper logsnips, else, we seem to be condoning it all, ya know?

Aug 11 14:44:25 gordo portsentry[547]: attackalert: Connect from host:
211.104.132.133/211.104.132.133 to TCP port: 12345
Aug 11 14:44:25 gordo portsentry[547]: attackalert: Host 211.104.132.133 has
been blocked via wrappers with string: "ALL: 211.104.132.133"
Aug 11 14:51:59 gordo xntpd[413]: synchronized to 128.118.25.3, stratum=2
Aug 11 14:52:27 gordo xntpd[413]: synchronized to 140.162.8.3, stratum=3
Aug 11 15:59:47 gordo xntpd[413]: synchronized to 128.118.25.3, stratum=2
Aug 11 16:06:48 gordo xntpd[413]: synchronized to 140.162.8.3, stratum=2
Aug 11 19:14:36 gordo xntpd[413]: synchronized to 128.118.25.3, stratum=2
Aug 11 21:08:13 gordo PAM_pwdb[11430]: check pass; user unknown
Aug 11 21:08:14 gordo ftpd: 203.101.123.242: connected: IDLE
[11430]: failed login from 203.101.123.242 [203.101.123.242]
Aug 11 21:08:15 gordo ftpd: 203.101.123.242: connected: IDLE
[11430]: FTP session closed
Aug 11 21:52:40 gordo portsentry[547]: attackalert: Connect from host:
ppp-3-160.Hsichih.pagic.net/210.67.87.160 to TCP port: 12345
Aug 11 21:52:40 gordo portsentry[547]: attackalert: Host 210.67.87.160 has
been blocked via wrappers with string: "ALL: 210.67.87.160"
Aug 11 22:54:40 gordo portsentry[547]: attackalert: Connect from host:
203.232.102.78/203.232.102.78 to TCP port: 12345
Aug 11 22:54:40 gordo portsentry[547]: attackalert: Host 203.232.102.78 has
been blocked via wrappers with string: "ALL: 203.232.102.78"
Aug 12 00:17:33 gordo portsentry[547]: attackalert: Connect from host:
s210-205-234-142.thrunet.ne.kr/210.205.234.142 to TCP port: 12345
Aug 12 00:17:33 gordo portsentry[547]: attackalert: Host 210.205.234.142 has
been blocked via wrappers with string: "ALL: 210.205.234.142"
Aug 12 04:02:00 gordo anacron[12133]: Updated timestamp for job cron.daily'
to 2000-08-12
Aug 12 05:17:01 gordo portsentry[547]: attackalert: Connect from host:
210.220.109.208/210.220.109.208 to TCP port: 12345
Aug 12 05:17:01 gordo portsentry[547]: attackalert: Host 210.220.109.208 has
been blocked via wrappers with string: "ALL: 210.220.109.208"

Also, look at this one, where he hits my pop3 server:

Aug 13 12:41:28 gordo ipop3d[18615]: pop3 service init from 211.46.122.121
Aug 13 12:41:57 gordo ipop3d[18615]: No such file or directory while reading line user=??? host=[211.46.122.121]

This IP is in Korea, but they provide no English language information on the ISP, so I can't email them.
AND it continues, right on through today.
Ray


[This message has been edited by rayjones (edited 13 August 2000).]

Originally posted by MkIII_Supra:
Actually it's been really freaking quite here on cable. Which is really unusual. The only entries I find are from my ISP. Other than that, it's been really quiet. It's kinda eerie in a way. Because 2 months ago I was getting hits 3-4 times a day.

Same here... Its kind of disturbing... where have all the skript kiddies gone? (More importantly, did they get in through some exploit I haven't heard of yet, and are systmatically wiping my logs? Hmmm... Nah)

I'm on cable too and I've been getting the same sort of hits on my firewall that scoobydope and rayjones have been getting. One even tried a pop3 login as root!

My ISP portscans me a LOT...

I've never really gotten any attempts at portscanning me except the occainsonal one or two isolated blocked packets. Nothing much for me. 56k btw.

Originally posted by Stackrat:
I'm on cable too and I've been getting the same sort of hits on my firewall that scoobydope and rayjones have been getting. One even tried a pop3 login as root!

pop3 and ftp are backups for testing easily guessable passwords, in case telnet is closed.

We continue unabated last night, this morning. SHHEESSHHH!!!!!
The issue will soon be that /etc/hosts.deny will become a 5 gig file !!!!!!!!!


Aug 14 04:44:09 gordo portsentry[547]: attackalert: Connect from host: 210.91.235.210/210.91.235.210 to TCP port: 12345
Aug 14 04:44:09 gordo portsentry[547]: attackalert: Host 210.91.235.210 has been blocked via wrappers with string: "ALL: 210.91.235.210"
Aug 14 04:52:04 gordo xntpd[413]: synchronized to 140.162.8.3, stratum=2
Aug 14 04:52:28 gordo xntpd[413]: synchronized to 128.118.25.3, stratum=2
Aug 14 05:13:09 gordo portsentry[547]: attackalert: Connect from host: 210.126.108.110/210.126.108.110 to TCP port: 12345
Aug 14 05:13:09 gordo portsentry[547]: attackalert: Host 210.126.108.110 has been blocked via wrappers with string: "ALL: 210.126.108.110"
Aug 14 06:41:20 gordo xntpd[413]: synchronized to 128.182.58.100, stratum=2
Aug 14 06:53:31 gordo portsentry[547]: attackalert: Connect from host: 203.79.149.134/203.79.149.134 to TCP port: 12345
Aug 14 06:53:31 gordo portsentry[547]: attackalert: Host 203.79.149.134 has been blocked via wrappers with string: "ALL: 203.79.149.134"

Originally posted by Golden_Eternity:
pop3 and ftp are backups for testing easily guessable passwords, in case telnet is closed.Ha! Let 'em try. They'll never guess "ROSEBUD" from the movie "Citizen Kane" as my root password.

--------------------
Stackrat www.stackrat.com (http://www.stackrat.com)

Look's like someone is looking for netbus

Stackrat's Box login: root
password: ROSE...

ROSEBUD!!!!!!!!!!!

Originally posted by Golden_Eternity:
Stackrat's Box login: root
password: ROSE...Ha! I see from the logs only two people tried to hit port 21 (FTP). Nothing was logged for telnet or ssh (telnet is closed anyway), I'll have to double check to make sure thet're being logged.

Of course, I've never even seen "Citizen Kane" and "ROSEBUD" is a pretty stupid root password, but I'm surprised more people didn't give it a try out of sheer curiosity!

Have you guys ever tried blocking the @home security scans? I get at least 5 a day, and they check the whole range of ports.....
Just wondering if they'd get pissed.

ROSEBUD, wow that's a good one. And here, all along, I've been using "password."

atleast ROSEBUD is in all caps! they will never guess that one! man you are a genius! that is like hiding your wallet in the bottom part of your shoe at the beach; robbers only look in the heel and move to the next... right? ;o)