intrusion detection

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Lowell Hamilton
Date:  
Subject: intrusion detection
Looks like someone synscanning (flags:S) you for obvous
vulnerabilities. There are no 3-way handshakes in the log so they were
only checking for open ports and not checking for vulnerable verions of
each piece of software (unless your firewall only detects the SYN's)

Dshield shows this host has a pretty bad reputation:
http://dshield.org/subnet.php?subnet=207.33.111.34&Submit=Submit

I would toss it out as just random scanning unless you start seeing
actual traffic (3-way handshakes) from that host.

Lowell

-- 
: Lowell Hamilton     syz@b r o k e n - b i t . c o m :
: Linux  OpenBSD  IDS/firewall  Security  QMail  Perl :








Eric wrote:
>
> Hi,
>
> My heart began to race when I saw this in one of my logs. If anyone can
> read this log so as to divine whether this attempted hack was or may have
> been successful, I would love to listen. I know that this is not the ideal
> place to post this. Sorry if it offends.
>
> FWIN,2001/12/22,19:57:38 -8:00 GMT,63.26.74.158:1665,63.137.xx.xx:80,TCP
> (flags:S)
> FWIN,2001/12/22,23:50:12 -8:00 GMT,209.213.211.133:137,63.137.xx.xx:137,UDP
> FWIN,2001/12/23,00:14:44 -8:00 GMT,131.220.233.203:22,63.137.xx.xx:22,TCP
> (flags:S)
> FWIN,2001/12/23,01:43:15 -8:00 GMT,207.33.111.34:4642,63.137.xx.xx:137,UDP
> FWIN,2001/12/23,01:43:25 -8:00 GMT,207.33.111.34:2604,63.137.xx.xx:80,TCP
> (flags:S)

<snip>