|
Nmap Hackers
mailing list archives
RE: Detected NMAP scan
From: <joff () newmonics com>
Date: Wed, 6 Jan 1999 15:13:37 -0600 (EST)
I've written a small (~30) line patch to the linux 2.0 kernel that
detects and masq's all scans, (stealth, half-open, etc) and blocks them
in mid scan so the attacker does not see any ports open. Take a look:
http://www.geek-girl.com/bugtraq/1998_3/0008.html.
//Jesse Off
On Wed, 6 Jan 1999, Frank W. Keeney wrote:
I get scanned at least ten times a week!
With the 1.x versions of nmap, Linux ipfwadm successfully logged all
stealth scans in my lab.
----------
From: Lamont Granquist
[SMTP:lamontg () raven genome washington edu]
Sent: Wednesday, January 06, 1999 12:40 PM
To: nmap-hackers () insecure org
Subject: Detected NMAP scan
So, on Jan 3rd a machine that I admin got scanned, and with the
ipfw.c
hack that I posted previously, I recorded the following packets,
suggesting that it was someone with nmap2. I thought I'd post
it here as
a sighting of nmap "in the wild":
Jan 3 04:16:14 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP
148.81.145.199:62233 192.168.0.1:80
Jan 3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8
148.81.145.199 192.168.0.1
Jan 3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8
148.81.145.199 192.168.0.1
Jan 3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8
148.81.145.199 192.168.0.1
Jan 3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP
148.81.145.199:62234 192.168.0.1:80
Jan 3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP
148.81.145.199:62235 192.168.0.1:80
I've also identified people doing SYN scans of port 635 which is
where
mountd often/normally resides on a linux system.
 By Date 
By Thread
Current thread:
|
Intro
