[Snort-users] current activity from 203.117.137.130

Mark Rowlands mark.rowlands at ...752...
Sun Nov 5 16:41:58 EST 2000


On Saturday 04 November 2000 20:03, Dr SuSE wrote:
> What I usually do is scan the offending machine to see if there are any
> ports open that might indicate that the machine has been
> compromised.  Ports such as 1080, 31337, 12345..etc are a good indication
> but it doesn't mean the machine has been rooted since they could be
> running Back Officer Friendly or Netbus detective which would give a
> false positive.
> I then email the upper level provider since emailing to root of a possibly
> hacked machine wouldn't do much good.
> This is just my .02 cents
>
>
>
> Dr SuSE
>
> "Microsoft ist nicht installiert"
>
> On Sat, 4 Nov 2000, Jerry Shenk wrote:
> > I'm currently being scanned by 203.117.137.130.  This is a computer in
> > Singapore it seems.  The box has all kinds of ports open....not sure what
> > to do in a case like this.  Obviously there's not recourse on a machine
> > in Singapore but I'm not sure if it should be reported or what should be
> > done.....any ideas?
> >
> >

http://www.sans.org/y2k/contacting.htm  is a nice little write up of how
one might go about it. Personally I have found this ups the response rate 
from ISP's to about 50%



More information about the Snort-users mailing list