[Snort-users] current activity from 203.117.137.130

Dr SuSE drsuse at ...748...
Sat Nov 4 15:03:25 EST 2000


What I usually do is scan the offending machine to see if there are any
ports open that might indicate that the machine has been
compromised.  Ports such as 1080, 31337, 12345..etc are a good indication 
but it doesn't mean the machine has been rooted since they could be
running Back Officer Friendly or Netbus detective which would give a
false positive.
I then email the upper level provider since emailing to root of a possibly
hacked machine wouldn't do much good. 
This is just my .02 cents 



Dr SuSE

"Microsoft ist nicht installiert"

On Sat, 4 Nov 2000, Jerry Shenk wrote:

> I'm currently being scanned by 203.117.137.130.  This is a computer in
> Singapore it seems.  The box has all kinds of ports open....not sure what to
> do in a case like this.  Obviously there's not recourse on a machine in
> Singapore but I'm not sure if it should be reported or what should be
> done.....any ideas?
> 
> 
> --------------------------------------------------------------
> Jerry A. Shenk - MCNE, GIAC certified intrusion analyst
> Sr. Systems Engineer - Computer Networking Services
> D&E Communications, Inc.
> jshenk at ...514... (also jas at ...129...)
> 1-877-433-8632 Fax via efax: (603) 250-1453
> my website: http://jerryslinux.dyndns.org/jas
> 
> 
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> http://lists.sourceforge.net/mailman/listinfo/snort-users
> 




More information about the Snort-users mailing list