[Snort-users] current activity from 220.127.116.11
mark.rowlands at ...752...
Sun Nov 5 16:41:58 EST 2000
On Saturday 04 November 2000 20:03, Dr SuSE wrote:
> What I usually do is scan the offending machine to see if there are any
> ports open that might indicate that the machine has been
> compromised. Ports such as 1080, 31337, 12345..etc are a good indication
> but it doesn't mean the machine has been rooted since they could be
> running Back Officer Friendly or Netbus detective which would give a
> false positive.
> I then email the upper level provider since emailing to root of a possibly
> hacked machine wouldn't do much good.
> This is just my .02 cents
> Dr SuSE
> "Microsoft ist nicht installiert"
> On Sat, 4 Nov 2000, Jerry Shenk wrote:
> > I'm currently being scanned by 18.104.22.168. This is a computer in
> > Singapore it seems. The box has all kinds of ports open....not sure what
> > to do in a case like this. Obviously there's not recourse on a machine
> > in Singapore but I'm not sure if it should be reported or what should be
> > done.....any ideas?
http://www.sans.org/y2k/contacting.htm is a nice little write up of how
one might go about it. Personally I have found this ups the response rate
from ISP's to about 50%
More information about the Snort-users