From owner-freebsd-chat Sat Feb 24 1:24:38 2001 Delivered-To: freebsd-chat@freebsd.org Received: from daffy.uwnet.nl (ns.isd-holland.nl [195.7.130.35]) by hub.freebsd.org (Postfix) with ESMTP id C2CD537B401 for ; Sat, 24 Feb 2001 01:24:34 -0800 (PST) (envelope-from abgoeree@uwnet.nl) Received: from dyn.dailup.c227129151.isd.to (dyn.dailup.c227129151.isd.to [213.227.129.151]) by daffy.uwnet.nl (8.11.1/8.11.0) with ESMTP id f1O9OWT03402 for ; Sat, 24 Feb 2001 10:24:32 +0100 Received: (qmail 754 invoked by uid 1000); 24 Feb 2001 08:55:55 -0000 From: "Andre Goeree" Date: Sat, 24 Feb 2001 09:55:55 +0100 To: Matthew West Cc: chat@freebsd.org Subject: Re: When will script kiddies ever learn? Message-ID: <20010224095555.A681@mandark.attica.home> Reply-To: abgoeree@uwnet.nl References: <20010224014042.A39092@mandark.attica.home> <20010224025203.A97408@apotheosis.org.za> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010224025203.A97408@apotheosis.org.za>; from mwest@uct.ac.za on Sat, Feb 24, 2001 at 02:52:03AM +0200 X-Sender: abgoeree@uwnet.nl Sender: owner-freebsd-chat@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Feb 24, 2001 at 02:52:03AM +0200, Matthew West wrote: > On Sat, Feb 24, 2001 at 01:40:42AM +0100, Andre Goeree wrote: > > Nice, look what happened while fetching ports: > > > > Feb 24 01:17:24 mandark /kernel: ipfw: 2200 Deny TCP 205.241.169.135:80 213.227.140.238:2049 in via tun0 > > Feb 24 01:17:36 mandark last message repeated 4 times > > > > Script kiddies? Who else would be stupid enough to look for a nfs > > server. > > Hrm, 205.241.169.135 resolves to ns2.davidv.net, which, if you point > your browser to it, has quite a FreeBSD centric web page. Well, this must have something to do with the flaky DNS of my ISP :-( I *always* do a host lookup twice or three times before drawing my conclusions (too soon as it appears...). If it says "host not found" or resolves to some "dynamic ip" like my own, you know there's something going on. Next is to "ipfw add 50 deny" the IP out of my world and see what happens. If it breaks something i'm doing i would know it immediately but, i caught it a little late this time, read below ... Now you mention it, i've been browsing http://www.davidv.net (cool site :-) while fetching ports..... Ehhhhhh, ooops? :-} > > Are you sure you weren't perhaps fetching port distfiles from there > somewhere? Or just browsing the page? Hmm, i caught it a little late this time. Normally i keep an eyeball on my xconsole as soon as i stay longer online than 5 min. Because 99% of the times nothing (or something explainable) happens, i got a little sloppy about this good habit. > > If you weren't, then you might want to drop the domain owner a note > that his machine's being used to do scans. Judging by it's name, my > money's on them having used a bind exploit to get in. > Well, i can't be sure about that this time.. I think i will cook up something that rings the bell if something suspicious happens (i have some cool sounds for this :-). > I can't get an answer from the machine with "dig" though. > That's what made me think this was an incident in the first place. Andre. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-chat" in the body of the message