[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [OT] after portscan
the Odysee continues, and even gets harder:
Snort report:
Sep 4 21:31:43 211.34.121.57:2429 -> x.y.z.xy0:21 SYN **S*****
...
Sep 4 21:31:43 211.34.121.57:2443 -> x.y.z.254:21 SYN **S*****
Sep 5 14:35:02 10.0.0.1:21 -> x.y.z.xy0:21 SYNFIN **SF****
...
Sep 5 14:35:02 10.0.0.1:21 -> x.y.z.254:21 SYNFIN **SF****
IPFilter log:
ipflog.0:Sep 5 14:26:23 tangra ipmon[31411]: 14:26:23.057576
xl0 @1:4 b 10.0.0.1,21 -> 255.255.255.255,21 PR tcp len 20 40
-SF IN
ipflog.0:Sep 5 14:26:23 tangra ipmon[31411]: 14:26:23.096216
xl0 @1:4 b 10.0.0.1,21 -> mygateIP,21 PR tcp len 20 40 -SF IN
ipflog.0:Sep 5 14:35:02 tangra ipmon[31411]: 14:35:02.038646
xl0 @1:4 b 10.0.0.1,21 -> my1st_DMZ-IP,21 PR tcp len 20 40 -SF
IN
...
ipflog.0:Sep 5 14:35:05 tangra ipmon[31411]: 14:35:05.319257
xl0 @1:4 b 10.0.0.1,21 -> mylast_DMZ-IP,21 PR tcp len 20 40
-SF IN
can anybody give me a hint how to determine who is this 10.0.0.1
coming on my internet connected interface?
<snipped>
>The practice that's probably the most common is to ignore it, unless
>you think you're the specific[0] target.
>[0] That is, they're attacking *you*, and not just scanning huge ranges of
IPs.
this log shows me that I'm the target ;)
>In general, if I have the time, I will make an effort to send the
>information to the right people. And if I feel that I'm being harassed
>or attacked, I'll make the time. But if I'm busy, I'll ignore them.
>(Rationalizing that someone else getting hit will have the time.)
email to 'kgromc@soback.kornet21.net' doesn't answer anything yet
this email I got from http://spamcop.net/hosttracker.shtml
btw,its nice made page :)
Greetings,
Ivan Kolemanov