OK, Looking at my log file from my firewall reveals that not I've got people trying to through my firewall from... 66.189.81.226 (and 246) (http connect attempts) 62.163.126.100 (same domain as yesterday) How do I track them back to the ISP's and send a message to their abuse@ address? Someone's trying to ping me from 66.189.24.226 as well. Am I being paranoid or could my isp be trying to crack my firewall to see if I've got any servers running? Time to batten down the hatches... Wes
Looking at my log file from my firewall reveals that not I've got people trying to through my firewall from...
66.189.81.226 (and 246) (http connect attempts) 62.163.126.100 (same domain as yesterday)
How do I track them back to the ISP's and send a message to their abuse@ address?
Someone's trying to ping me from 66.189.24.226 as well.
[dogbert@ladyluck /]$ host 66.189.81.226 226.81.189.66.in-addr.arpa domain name pointer cpe-66-189-81-226.ma.charter.com.[dogbert@ladyluck /]$ host 62.163.126.100 100.126.163.62.in-addr.arpa domain name pointer a126100.upc-a.chello.nl. [dogbert@ladyluck /]$ host 66.189.24.226 226.24.189.66.in-addr.arpa domain name pointer cpe-66-189-24-226.ma.charter.com.
Am I being paranoid or could my isp be trying to crack my firewall to see if I've got any servers running?
Port scanning isn't illegal, I wouldn't be that concerned unless something actually gets broken into, and it doesn't sound like you're in imminent danger of that. There's a lot of noise that's gonna show up in firewall or PortSentry-type logs, especially on cable or DSL IP ranges, I really don't pay it much attention myself. It's your call, of course. Brian J. Conway bconway@wpi.edu "LINUX is obsolete" - Andrew S. Tanenbaum, creator of Minix - Jan 29, 1992
I would have to agree. If you have DSL/broadband, it seems that you are bound to get these "random" hits. Like Charles said, most are the http IIS virus which you dont need to "worry" about. My PPC linux box gets tons of the http hits which I just ignore, as well as the occasional SSH hits, and anonymous FTP (which anon is turned off). Acutally I am surprise you only got 2 http hits. Usually a few an hour for me. Anyway, just keep tabs on your daily logs. Possibly install log analyis tools. Actually, if you have openssh installed, I believe it installs a neat simple script called: "logcheck.sh" It doesnt do much, but shows failed login attempts etc. Start a crontab and have it email u the results. PS if your running Intel definately keep update to date on patches; or is this no longer true (i.e. asm buffer code etc)? -jeremy no warrently included --- "Brian J. Conway" <bconway@WPI.EDU> wrote:
Looking at my log file from my firewall reveals that not I've got people trying to through my firewall from...
66.189.81.226 (and 246) (http connect attempts) 62.163.126.100 (same domain as yesterday)
How do I track them back to the ISP's and send a message to their abuse@ address?
Someone's trying to ping me from 66.189.24.226 as well.
[dogbert@ladyluck /]$ host 66.189.81.226 226.81.189.66.in-addr.arpa domain name pointer cpe-66-189-81-226.ma.charter.com.[dogbert@ladyluck /]$ host 62.163.126.100 100.126.163.62.in-addr.arpa domain name pointer a126100.upc-a.chello.nl. [dogbert@ladyluck /]$ host 66.189.24.226 226.24.189.66.in-addr.arpa domain name pointer cpe-66-189-24-226.ma.charter.com.
Am I being paranoid or could my isp be trying to crack my firewall to see if I've got any servers running?
Port scanning isn't illegal, I wouldn't be that concerned unless something actually gets broken into, and it doesn't sound like you're in imminent danger of that. There's a lot of noise that's gonna show up in firewall or PortSentry-type logs, especially on cable or DSL IP ranges, I really don't pay it much attention myself. It's your call, of course.
Brian J. Conway bconway@wpi.edu
"LINUX is obsolete" - Andrew S. Tanenbaum, creator of Minix - Jan 29, 1992 _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
__________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/
It does not really look like some one is trying to break through your file wall, they are not sending acks or anything strange, they are simply trying to view content on your httpd server which you are not running I guess. Have they scanned any other ports?(other than the ICMP ping?) If I saw an port scan or ack packets I would be more concerned. If you have a dynamic IP it could be someone trying to return to a site they were at before... Usually a break in attempt will cause a lot more traffic that a http request. Jason On Thu, 2002-04-18 at 08:05, Wesley Allen wrote:
OK, Looking at my log file from my firewall reveals that not I've got people trying to through my firewall from...
66.189.81.226 (and 246) (http connect attempts) 62.163.126.100 (same domain as yesterday)
How do I track them back to the ISP's and send a message to their abuse@ address?
Someone's trying to ping me from 66.189.24.226 as well.
Am I being paranoid or could my isp be trying to crack my firewall to see if I've got any servers running?
Time to batten down the hatches...
Wes
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
On Thu, Apr 18, 2002 at 08:39:00AM -0400, Jason Calvert wrote: calvert> It does not really look like some one is trying to break through your calvert> file wall, they are not sending acks or anything strange, they are calvert> simply trying to view content on your httpd server which you are not calvert> running I guess. Have they scanned any other ports?(other than the ICMP calvert> ping?) If I saw an port scan or ack packets I would be more concerned. calvert> If you have a dynamic IP it could be someone trying to return to a site calvert> they were at before... calvert> Usually a break in attempt will cause a lot more traffic that a http calvert> request. Actually, unsolicited http requests like this are usually viruses like Code Red or Nimda. Sometimes the IP address doesn't have a DNS reversal. In either case, I like to look them up in ARIN/RIPE/APNIC:
whois 66.189.81.226@whois.arin.net [whois.arin.net] Charter Communications (NETBLK-CHARTER-NET-5BLK) CHARTER-NET-5BLK 66.188.0.0 - 66.191.255.255 Charter Communications (NETBLK-OXFD-MA-66-189-080) OXFD-MA-66-189-080 66.189.80.0 - 66.189.83.255
To single out one record, look it up with "!xxx", where xxx is the handle, shown in parenthesis following the name, which comes first. The ARIN Registration Services Host contains ONLY Internet Network Information: Networks, ASN's, and related POC's. Please use the whois server at rs.internic.net for DOMAIN related Information and whois.nic.mil for NIPRNET Information.
whois \!NETBLK-OXFD-MA-66-189-080@whois.arin.net [whois.arin.net] Charter Communications (NETBLK-OXFD-MA-66-189-080) 12405 Powerscourt Dr. St. Louis, MO 63131 US
Netname: OXFD-MA-66-189-080 Netblock: 66.189.80.0 - 66.189.83.255 Coordinator: Charter Communications (ZC119-ARIN) ipaddressing@chartercom.com 314-965-0555 Domain System inverse mapping provided by: NS1.CHARTER.COM 24.196.241.11 NS2.CHARTER.COM 24.213.60.79 Record last updated on 12-Dec-2001. Database last updated on 17-Apr-2002 19:59:25 EDT. The ARIN Registration Services Host contains ONLY Internet Network Information: Networks, ASN's, and related POC's. Please use the whois server at rs.internic.net for DOMAIN related Information and whois.nic.mil for NIPRNET Information. If the results come up with RIPE, redo the query with whois.ripe.net. If the results come up with APNIC, use whois.apnic.net. -- Charles R. Anderson <cra@wpi.edu> / http://angus.ind.wpi.edu/~cra/ PGP Key ID: 49BB5886 Fingerprint: EBA3 A106 7C93 FA07 8E15 3AC2 C367 A0F9 49BB 5886
Yes I agree, but since it came with a ping and only once, I figured it was not a worm but a person on the other end. On Thu, 2002-04-18 at 08:50, Charles R. Anderson wrote:
On Thu, Apr 18, 2002 at 08:39:00AM -0400, Jason Calvert wrote: calvert> It does not really look like some one is trying to break through your calvert> file wall, they are not sending acks or anything strange, they are calvert> simply trying to view content on your httpd server which you are not calvert> running I guess. Have they scanned any other ports?(other than the ICMP calvert> ping?) If I saw an port scan or ack packets I would be more concerned. calvert> If you have a dynamic IP it could be someone trying to return to a site calvert> they were at before... calvert> Usually a break in attempt will cause a lot more traffic that a http calvert> request.
Actually, unsolicited http requests like this are usually viruses like Code Red or Nimda.
Sometimes the IP address doesn't have a DNS reversal. In either case, I like to look them up in ARIN/RIPE/APNIC:
whois 66.189.81.226@whois.arin.net [whois.arin.net] Charter Communications (NETBLK-CHARTER-NET-5BLK) CHARTER-NET-5BLK 66.188.0.0 - 66.191.255.255 Charter Communications (NETBLK-OXFD-MA-66-189-080) OXFD-MA-66-189-080 66.189.80.0 - 66.189.83.255
To single out one record, look it up with "!xxx", where xxx is the handle, shown in parenthesis following the name, which comes first.
The ARIN Registration Services Host contains ONLY Internet Network Information: Networks, ASN's, and related POC's. Please use the whois server at rs.internic.net for DOMAIN related Information and whois.nic.mil for NIPRNET Information.
whois \!NETBLK-OXFD-MA-66-189-080@whois.arin.net [whois.arin.net] Charter Communications (NETBLK-OXFD-MA-66-189-080) 12405 Powerscourt Dr. St. Louis, MO 63131 US
Netname: OXFD-MA-66-189-080 Netblock: 66.189.80.0 - 66.189.83.255
Coordinator: Charter Communications (ZC119-ARIN) ipaddressing@chartercom.com 314-965-0555
Domain System inverse mapping provided by:
NS1.CHARTER.COM 24.196.241.11 NS2.CHARTER.COM 24.213.60.79
Record last updated on 12-Dec-2001. Database last updated on 17-Apr-2002 19:59:25 EDT.
The ARIN Registration Services Host contains ONLY Internet Network Information: Networks, ASN's, and related POC's. Please use the whois server at rs.internic.net for DOMAIN related Information and whois.nic.mil for NIPRNET Information.
If the results come up with RIPE, redo the query with whois.ripe.net. If the results come up with APNIC, use whois.apnic.net.
-- Charles R. Anderson <cra@wpi.edu> / http://angus.ind.wpi.edu/~cra/ PGP Key ID: 49BB5886 Fingerprint: EBA3 A106 7C93 FA07 8E15 3AC2 C367 A0F9 49BB 5886 _______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
On Thursday 18 April 2002 08:05 am, Wesley Allen wrote:
OK, Looking at my log file from my firewall reveals that not I've got people trying to through my firewall from...
66.189.81.226 (and 246) (http connect attempts) 62.163.126.100 (same domain as yesterday)
How do I track them back to the ISP's and send a message to their abuse@ address?
Someone's trying to ping me from 66.189.24.226 as well.
Am I being paranoid or could my isp be trying to crack my firewall to see if I've got any servers running?
Time to batten down the hatches...
Wes
Hi Wes, Thye're out there! I had the same problem when I setup an http site to debug an app I was working on. I kinda forgot about it and kept getting virus droppings in my scripts directory. Eventually I figured out what was going on and tightened the security on the site so I was the only one whjo had write access and that stopped it. I think there are folks who have nothing better to do than to write webbots to look for things inside their ISPs domain. As long as you have adequate protection against write access, you're probably OK. Some of the accesses were from machines operated by my ISP. I don't know what they were for :-} --Skip
another fun toy for the paranoid is lsof - a really nifty process tool. shows ALL the stuff tunning on your machine and who's running them. maybe check for rootkits and stuff like that. :) but i agree with the other guys...i get tons of http and ftp and even some ssh hits every day. of course, earthlink's network - especially in my ip range - is littered with nimda and code red IIS machines. scary... -jeff
participants (7)
-
Brian J. Conway -
Charles R. Anderson -
Jason Calvert -
jeff -
Jeremy -
Skip Gaede -
Wesley Allen