[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OT] after portscan
On Tue, Sep 05, 2000 at 11:47:32AM +0200, ISM Kolemanov, Ivan wrote:
> hi again helpful people in misc,
>
> Which steps I have to do in such a "standard" case:
>
> Sep 4 21:31:43 211.34.121.57:2429 -> x.y.z.xy0:21 SYN **S*****
> ...
> Sep 4 21:31:43 211.34.121.57:2443 -> x.y.z.254:21 SYN **S*****
>
> OK, in this case I'm not really afraid, it looks like smb
> just started an ftp probe in a big range of IPs
> and I have no ftp server running, and feel good with
> OpenBSD system + Snort as IDS
> but what I have to do in such a situations,
> probably I have to contact his ISP?
honestly i dunno, and would like to see comments about some common
practice.
> and how to define it?
i'd do "dig -x 211.34.121.57 soa", that results in:
; <<>> DiG 2.2 <<>> -x soa
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36748
;; flags: qr rd ra; Ques: 1, Ans: 0, Auth: 1, Addit: 0
;; QUESTIONS:
;; 57.121.34.211.in-addr.arpa, type = SOA, class = IN
;; AUTHORITY RECORDS:
34.211.in-addr.arpa. 10222 SOA ns.krnic.net. domain.krnic.net. (
1999122121 ; serial
21600 ; refresh (6 hours)
900 ; retry (15 mins)
604800 ; expire (7 days)
43200 ) ; minimum (12 hours)
;; Total query time: 26 msec
;; FROM: comrade to SERVER: default -- xxx.xxx.xxx.xxx
;; WHEN: Tue Sep 5 12:07:39 2000
;; MSG SIZE sent: 44 rcvd: 118
so it seems krnic.net (korean ISP?) is authoritative for that range
of IP addresses. abuse@krnic.net is the way to go?
> traceroute 211.34.121.57
> ...
> 18 teleglobe.ny2-gw.customer.ALTER.NET (157.130.4.166) 372.59 ms
> teleglobe-gw.customer.alter.net (157.130.5.218) 321.318 ms 563.356 ms
> 19 if-0-0.core1.NewYork.Teleglobe.net (207.45.221.97) 258.22 ms 275.539
> ms *
> 20 * if-3-0.core1.PaloAlto.Teleglobe.net (207.45.222.177) 319.379 ms
> 419.846 ms
> 21 if-3-0.core1.Seattle.Teleglobe.net (207.45.223.74) 336.904 ms 348.585
> ms 434.562 ms
> 22 * if-3-0.core1.Burnaby.Teleglobe.net (207.45.222.86) 431.677 ms
> 492.954 ms
> 23 if-1-0.core2.LakeCowichan.Teleglobe.net (207.45.223.174) 356.243 ms
> 504.686 ms 480.54 ms
> 24 if-11-0-0.bb3.LakeCowichan.Teleglobe.net (207.45.222.110) 535.302 ms *
> 257.395 ms
> 25 ix-4-0-0.bb3.LakeCowichan.Teleglobe.net (207.45.211.102) 1170.856 ms
> 1160.818 ms 1220.668 ms
> 26 * 202.30.90.5 (202.30.90.5) 1431.386 ms 1097.884 ms
> 27 202.30.90.9 (202.30.90.9) 993.712 ms 1041.541 ms 1118.923 ms
> 28 202.30.90.1 (202.30.90.1) 1178.533 ms 1063.533 ms 1159.69 ms
> 29 202.30.94.6 (202.30.94.6) 1402.126 ms 999.289 ms 1194.884 ms
> 30 210.104.13.117 (210.104.13.117) 971.940 ms 202.30.94.130
> (202.30.94.130) 1092.677 ms *
> 31 210.100.139.158 (210.100.139.158) 1040.280 ms * 1090.352 ms
> 32 210.95.28.126 (210.95.28.126) 1199.438 ms 210.104.217.118
> (210.104.217.118) 978.729 ms 210.104.217.114 (210.104.217.114) 1078.909 ms
> 33 RFC1918-Host (192.168.137.158) 952.505 ms 1304.449 ms 1091.662 ms
> 34 211.34.121.57 (211.34.121.57) 1043.118 ms 1170.166 ms 1038.541 ms
>
> can anybody give me an idea about "33"
33 is the host with LAN IP address (as defined with RFC1918), which
are:
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
it's usual practice to give LAN addresses to routers, this doesn't
affect connections they serve. IMHO it's silly, that its packets
aren't filtered and go to the world...
--
Denis A. Doroshenko
Omnitel Ltd., Sevcenkos 25, Vilnius 2600, Lithuania
mailto:d.doroshenko@omnitel.net