Mailinglist Archive: opensuse (4343 mails)

< Previous Next >
Re: [SLE] iptables
  • From: jaakko tamminen <jaakko.tamminen@xxxxxxxxxx>
  • Date: Sat, 2 Nov 2002 20:04:05 +0200
  • Message-id: <200211022004.05410.jaakko.tamminen@xxxxxxxxxx>
Hi

As togan already replied, don't worry, because that is a M$-script kiddie
trying to get into an IIS server. Your our of danger.

And he also gave You instructions how to rid of that message.

To scan from outside, You need someone who You can trust to do it.

Jaska.

On Saturday 02 November 2002 18:44, Rikard Johnels wrote:
> On Saturday 02 November 2002 18.23, jaakko tamminen wrote:
> > Hi
> >
> > > 213.66.14.220 - - [02/Nov/2002:16:46:13 +0100] "GET /scripts/root.exe?
> > > /c+dir HTTP/1.0" 404 270
> >
> > Someone is trying to see if they can creep in thru Your web-server...
> >
> > > And so forth...
> > > Is there a way to block them automagically, or do i have to do it "by
> > > hand"?
> >
> > From http://freshmeat.net You could find some clever scripts that can do
> > it.
> >
> > > Also: I nmap my gateway:
> > > server:~ # nmap -sT 213.66.182.24
> >
> > Did You do it from "outside" or from the gateway/LAN.. the result is
> > different.
> >
> > > Starting nmap V. 2.53 by fyodor@xxxxxxxxxxxx ( www.insecure.org/nmap/ )
> > > Interesting ports on qux.foo.bar (xxx.yyy.zzz.qqq):
> > > (The 1515 ports scanned but not shown below are in state: closed)
> > > Port State Service
> > > 21/tcp open ftp
> > > 22/tcp open ssh
> > > 80/tcp open http
> > > 111/tcp open sunrpc
> > > 139/tcp open netbios-ssn
> > > 631/tcp open unknown
> > > 1009/tcp open unknown
> > > 1025/tcp open listen
> > >
> > > Nmap run completed -- 1 IP address (1 host up) scanned in 1 second
> > >
> > > I run iptables and try to block 111,139,631,1009 and 1025
> > > iptables -A INPUT -p tcp --destination-port 111 -i eth0 -j DROP
> > > but it is still open if i check again. Why?
> >
> > Have a look in /etc/inetd.conf, some of the services might be there, and
> > comes before the firewall in incoming queue.
> >
> > Jaska.
>
> That someone is trying is obvious :)
> The thing is i hav TWO attempts of the exact same type in less then 1 hr.
> [02/Nov/2002:16:09:41 +0100] and [02/Nov/2002:16:46:13 +0100]
> One address in Germany and one in Sweden.
> Go figure...
>
> I scanned from the "inside", that is from the server itself.
> I have no way of scanning from the outside at this point.. :(
> The inet.conf is "clean". (ie. Nothing enabled)
> So how can i check "myself"?



< Previous Next >