On Saturday 02 November 2002 18.23, jaakko tamminen wrote:

Hi

...

213.66.14.220 - - [02/Nov/2002:16:46:13 +0100] "GET /scripts/root.exe? /c+dir HTTP/1.0" 404 270

Someone is trying to see if they can creep in thru Your web-server...

...

And so forth... Is there a way to block them automagically, or do i have to do it "by hand"?

From http://freshmeat.net You could find some clever scripts that can do it.

...

Also: I nmap my gateway: server:~ # nmap -sT 213.66.182.24

Did You do it from "outside" or from the gateway/LAN.. the result is different.

...

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on qux.foo.bar (xxx.yyy.zzz.qqq): (The 1515 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 22/tcp open ssh 80/tcp open http 111/tcp open sunrpc 139/tcp open netbios-ssn 631/tcp open unknown 1009/tcp open unknown 1025/tcp open listen

Nmap run completed -- 1 IP address (1 host up) scanned in 1 second

I run iptables and try to block 111,139,631,1009 and 1025 iptables -A INPUT -p tcp --destination-port 111 -i eth0 -j DROP but it is still open if i check again. Why?

Have a look in /etc/inetd.conf, some of the services might be there, and comes before the firewall in incoming queue.

Jaska.

That someone is trying is obvious :) The thing is i hav TWO attempts of the exact same type in less then 1 hr. [02/Nov/2002:16:09:41 +0100] and [02/Nov/2002:16:46:13 +0100] One address in Germany and one in Sweden. Go figure... I scanned from the "inside", that is from the server itself. I have no way of scanning from the outside at this point.. :( The inet.conf is "clean". (ie. Nothing enabled) So how can i check "myself"? -- /Rikard ------------------------------------------------------------------------------------ Rikard Johnels email : rjhn@linux.nu Web : http://www.rikjoh.com Mob : +46 70 464 99 39 ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >

On Saturday 02 November 2002 18.02, Togan Muftuoglu wrote:

* Rikard Johnels; on 02 Nov, 2002 wrote:

...

On Saturday 02 November 2002 18.23, jaakko tamminen wrote: I scanned from the "inside", that is from the server itself. I have no way of scanning from the outside at this point.. :( The inet.conf is "clean". (ie. Nothing enabled) So how can i check "myself"?

http://www.inprotect.com http://www.securityspace.com

They do scan you as long as you are willing to :-)

I added the linest suggested. I DO get the faq-access log, but still the old one too.. a lesser problem tho... What is the iptable syntax for blocking the specified ip? Is there any use reporting such attempts? -- /Rikard ------------------------------------------------------------------------------------ Rikard Johnels email : rjhn@linux.nu Web : http://www.rikjoh.com Mob : +46 70 464 99 39 ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >

Hi As togan already replied, don't worry, because that is a M$-script kiddie trying to get into an IIS server. Your our of danger. And he also gave You instructions how to rid of that message. To scan from outside, You need someone who You can trust to do it. Jaska. On Saturday 02 November 2002 18:44, Rikard Johnels wrote:

On Saturday 02 November 2002 18.23, jaakko tamminen wrote:

...

Hi

...

213.66.14.220 - - [02/Nov/2002:16:46:13 +0100] "GET /scripts/root.exe? /c+dir HTTP/1.0" 404 270

Someone is trying to see if they can creep in thru Your web-server...

...

And so forth... Is there a way to block them automagically, or do i have to do it "by hand"?

From http://freshmeat.net You could find some clever scripts that can do it.

...

Also: I nmap my gateway: server:~ # nmap -sT 213.66.182.24

Did You do it from "outside" or from the gateway/LAN.. the result is different.

...

Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Interesting ports on qux.foo.bar (xxx.yyy.zzz.qqq): (The 1515 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 22/tcp open ssh 80/tcp open http 111/tcp open sunrpc 139/tcp open netbios-ssn 631/tcp open unknown 1009/tcp open unknown 1025/tcp open listen

Nmap run completed -- 1 IP address (1 host up) scanned in 1 second

I run iptables and try to block 111,139,631,1009 and 1025 iptables -A INPUT -p tcp --destination-port 111 -i eth0 -j DROP but it is still open if i check again. Why?

Have a look in /etc/inetd.conf, some of the services might be there, and comes before the firewall in incoming queue.

Jaska.

That someone is trying is obvious :) The thing is i hav TWO attempts of the exact same type in less then 1 hr. [02/Nov/2002:16:09:41 +0100] and [02/Nov/2002:16:46:13 +0100] One address in Germany and one in Sweden. Go figure...

I scanned from the "inside", that is from the server itself. I have no way of scanning from the outside at this point.. :( The inet.conf is "clean". (ie. Nothing enabled) So how can i check "myself"?