Portscan from Suse Mailing list !!!
Every second week, my watchdog catch the IP address 217.9.113.69 doing port scanning on my system, and prompt every second week SuSE mailing list is disabled. Is the mailing list server of SuSE hacked or why are these activities from there? Administrator, please answer in private mailing. bye Ronald -- Ronald Wiplinger, Technical Director Bright Networking Inc, http://www.2bright.net 7F, 192-1, Sec. 3, Tatung Rd., Shijr City, Taipei, Taiwan, RoC Tel.: +886 2 8647-1685, Mobile +886 915 653-452, Fax: +886 2 8647-2002
* Ronald Wiplinger (ronald@2bright.net) [021007 18:19]:
Every second week, my watchdog catch the IP address 217.9.113.69 doing port scanning on my system, and prompt every second week SuSE mailing list is disabled.
Is the mailing list server of SuSE hacked or why are these activities from there?
Your "watchdog" (whatever that is) is broken and should be thrown away.
Administrator, please answer in private mailing.
Sorry, public mail gets a public response. -- -ckm
It may be as simple as the mail server doing "ident" checks... but Chris is right. Most of the Windows "Firewall" product like Zone Alarm and Norton's product are garbage. They give WAY too many false alarms to useful. Most people get tired of looking at the alerts and eventually disable them altogether. You've heard the story about the boy who cried wolf, I hope. - Herman Christopher Mahmood wrote:
* Ronald Wiplinger (ronald@2bright.net) [021007 18:19]:
Every second week, my watchdog catch the IP address 217.9.113.69 doing port scanning on my system, and prompt every second week SuSE mailing list is disabled.
Is the mailing list server of SuSE hacked or why are these activities from there?
Your "watchdog" (whatever that is) is broken and should be thrown away.
Administrator, please answer in private mailing.
Sorry, public mail gets a public response.
-- "DRM... Digitally Retarded Media - content that cannot reach its full potential because of artificial restraints."
* Herman Knief (herman@knief.net) [021007 19:54]:
It may be as simple as the mail server doing "ident" checks.
No, we don't that. Most likely it's because lists.suse.com has more than one connection open to his machine at the time.
Most of the Windows "Firewall" product like Zone Alarm and Norton's product are garbage.
I get probably 3 emails a week like this. Usually it's because "ftp.suse.com is trying to break into my machine!" (they are doing active ftp) often complete with threats of lawsuits, etc. Sigh. -- -ckm
Some people just jump the gun too early, before checking into what's going on, or even having a clue. Matt On Mon, 2002-10-07 at 23:08, Christopher Mahmood wrote: * Herman Knief (herman@knief.net) [021007 19:54]: > It may be as simple as the mail server doing "ident" checks. No, we don't that. Most likely it's because lists.suse.com has more than one connection open to his machine at the time. > Most of the Windows "Firewall" product like Zone Alarm and > Norton's product are garbage. I get probably 3 emails a week like this. Usually it's because "ftp.suse.com is trying to break into my machine!" (they are doing active ftp) often complete with threats of lawsuits, etc. Sigh. -- -ckm -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
Christopher Mahmood wrote:
* Herman Knief (herman@knief.net) [021007 19:54]:
It may be as simple as the mail server doing "ident" checks.
No, we don't that. Most likely it's because lists.suse.com has more than one connection open to his machine at the time.
Here is a snip of the log file: 1030792077 - 08/31/2002 19:07:57 Host: lists.suse.com/217.9.113.69 Protocol: TCP ScanType: UNKNOWN DstPort: 1080 SrcPort 113 1033151664 - 09/28/2002 02:34:24 Host: lists.suse.com/217.9.113.69 Protocol: TCP ScanType: UNKNOWN DstPort: 6667 SrcPort 113 Can you explain it please? I am in Taiwan, that is UTC + 8:00 bye Ronald
Most of the Windows "Firewall" product like Zone Alarm and Norton's product are garbage.
I get probably 3 emails a week like this. Usually it's because "ftp.suse.com is trying to break into my machine!" (they are doing active ftp) often complete with threats of lawsuits, etc. Sigh.
-- Ronald Wiplinger, Technical Director Bright Networking Inc, http://www.2bright.net 7F, 192-1, Sec. 3, Tatung Rd., Shijr City, Taipei, Taiwan, RoC Tel.: +886 2 8647-1685, Mobile +886 915 653-452, Fax: +886 2 8647-2002
Here is a snip of the log file: 1030792077 - 08/31/2002 19:07:57 Host: lists.suse.com/217.9.113.69 Protocol: TCP ScanType: UNKNOWN DstPort: 1080 SrcPort 113 1033151664 - 09/28/2002 02:34:24 Host: lists.suse.com/217.9.113.69 Protocol: TCP ScanType: UNKNOWN DstPort: 6667 SrcPort 113
If you actually read the log files, you'd note that both connections orginate from the *same* privileged port on lists.suse.com and that happens to be ident This to me looks like *backtraffic* from your machine doing an ident query on SuSE's list server. Please stop scanning them, else you may start getting threats of legal action & what-not ;-) -- James Ogley, Unix Systems Administrator, Pinnacle Insurance Plc james.ogley@pinnacle.co.uk www.pinnacle.co.uk +44 (0) 20 8731 3619 Using Free Software since 1994, running GNU/Linux (SuSE 8.0) Updated GNOME RPMs for SuSE Linux: www.usr-local-bin.org *********************************************************************** CONFIDENTIALITY. This e-mail and any attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender immediately and do not disclose the contents to another person, use it for any purpose, or store or copy the information in any medium. Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Pinnacle Insurance Plc. If you have received this e-mail in error please immediately notify our Helpdesk on +44 (0) 20 8207 9555. This footnote also confirms that this email message has been swept by MIMEsweeper for the presence of computer viruses. www.mimesweeper.com **********************************************************************
participants (5)
-
Christopher Mahmood
-
Herman Knief
-
James Ogley
-
Matthew Kennedy
-
Ronald Wiplinger