A friend of mine has cox for his ISP. I was over at his place recently and noticed the activity light on his cable modem was blinking constantly for the hour and a half I was there. I mentioned this to my friend and told him the machine might have spyware on it. This guy's machine was a hacker's dream. He didn't have any anti spyware software installed. He had Norton antivirus but hadn't updated it in the several years he's owned the machine. I updated norton and scanned the machine. It didn't have any viruses. I installed spybot, updated it and ran it. It found a lot of stuff, but got rid of it all. Even after all this, the activitiy light on the modem kept blinking. A few days later I brought a knoppix CD and booted from it. Even running knoppix from a CD the activity light was blinking. I eventually installed Mandrake on the machine and ran tcpdump to saw that data was going between that machine and various cox.net machines. Why is cox constantly scanning customers' machines? Why do they need to do this constantly? -- In 08 vote for a crook you can trust. Del Boy for President. http://www.ofah.net On Tue, 7 Dec 2004, Bill Warner wrote: > apt-get install portsentry > > do some quick reading up on it. It keeps people from randomly poking > your box looking for a variability by blocking people, on the fly, that > poke more than a configurable number of ports. With the option of > returning a greeting message :) > > It also keeps COX from being able to scan your system as a side benefit. > > -Bill > > On Tue, 2004-12-07 at 13:26 -0700, June Tate wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Hey folks, > > > > I've been a bit of a long time lurker on this list, but I've recently > > come up with a bit of a problem. Somebody, somewhere out on the 'net is > > attempting to crack into my home server -- unfortunately, they seem to > > be either using a few hundred zombie boxen on the 'net or spoofing their > > IP addresses because each attack is coming from a completely different IP. > > > > The first time I noticed, I noticed a bunch of "Illegal user" error > > messages in /var/log/auth.log. At first I didn't think much of it, but > > since I've worked on the iptables firewall, I've noticed an almost > > constant stream of incoming packets to random ports on my box, too. > > > > At first I thought he must have just found my box via an IP subnet scan > > or something, but when I recently changed ISPs and IP addresses, he > > followed via my domain name. > > > > My question is this: how can I track down this guy, blacklist, or > > prevent him from breaching my defenses? Also, what should I do about > > reporting him to the authorities? Who do should I contact about this? > > > > I've tried looking up his various IPs in the whois databases to no avail > > - -- they list him as coming from Tokyo, Taiwan, South Africa, San > > Diego, etc. > > > > My server is running Debian Linux, for reference. > > > > - -- > > June Tate * http://www.theonelab.com * june@theonelab.com > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.2.4 (GNU/Linux) > > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > > > iD8DBQFBthH8iLw1iDrV/zwRAiCeAJwPPONOvIGvZoz9adMsUn0hrLFsGgCfUEO5 > > KP+6fLu8ghnczqPpFB2AEKc= > > =1ye8 > > -----END PGP SIGNATURE----- > > --------------------------------------------------- > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > > To subscribe, unsubscribe, or to change you mail settings: > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > -- > Bill Warner > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change you mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change you mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss