@home security scans

Pyne, Jeffrey Jeffrey.Pyne@schwab.com
Fri, 10 Mar 2000 11:08:37 -0800 

The @home mailing list is actually still around.  I just subscribed to it a
couple months ago.  It's pretty low volume.  I'll go a couple weeks without
getting any messages, and then I'll get 10 in one day.  I can't for the life
of me remember how I subscribed-- it was either through
majordomo@legba.corp.sun.com or majordomo@ourplace.dhs.org.  The address
from which the messages come is unix-athome@ourplace.dhs.org, though, so it
was probably the latter.  IIRC, the machine from which everyone was talking
about being scanned was called ops-scan, but I don't remember the FQN.
Interestingly, when they were looking for misconfigured proxy and news
servers during the whole UDP threat, it seemed like they would poke port 80,
and, if they got a response, would check port 119.  Maybe they were just
killing 1-1/2 birds with one stone?

> ----------
> From: 	Shawn T. Rutledge[SMTP:rutledge@cx47646-a.phnx1.az.home.com]
> Reply To: 	plug-discuss@lists.PLUG.phoenix.az.us
> Sent: 	Friday, March 10, 2000 10:13 AM
> To: 	plug-discuss@lists.PLUG.phoenix.az.us
> Subject: 	Re: @home security scans
> 
> On Fri, Mar 10, 2000 at 09:43:40AM -0700, sinck@corp.quepasa.com wrote:
> > And, in the FWIW department, I think 24.0.0.0/8 will block more than
> > @home, which the last report on PLUG I saw was only 24.1.x.x -
> > 24.14.x.x .  
> 
> Yeah it also blocks speedchoice, maybe others.  But the trouble is I've
> never seen a definitive answer on what their subnet really is.  This guy
> got scanned from a 24.0 address so evidently it goes beyond 24.1 - 24.14.
> > 
> > \_ Actually, they may wise up and start running those scans from a
> > \_ nameserver.  (It's what I would do.)  Then you would have to allow
> DNS
> > \_ through while blocking all other ports from that IP, instead of
> blanket
> > \_ denying the IP.
> > 
> > What I'm more concerened with is if they don't scan from 24.x.....
> 
> Yep.  I would hope they don't get that paranoid.  Anyway there's still
> nothing I could do AFAIK to prevent a passive detection method (if they
> simply snoop all the packets and look for tcp packets going through to
> port 80 and getting a reply).  But when I was on the unix@home mailing
> list (now defunct AFAICT) there were a lot of people reporting that they
> got portscanned.  So I think that is their usual detection method.
> 
> -- 
>   _______
> http://www.bigfoot.com/~ecloud
>  (_  | |_)  ecloud@bigfoot.com   finger
> rutledge@cx47646-a.phnx1.az.home.com
>  __) | |
> \__________________________________________________________________
>  Get money for spare CPU cycles at
> http://www.ProcessTree.com/?sponsor=5903
> 
> _______________________________________________
> Plug-discuss mailing list  -  Plug-discuss@lists.PLUG.phoenix.az.us
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>