[svlug] portscanning our linux box

Gordon Vrololjak gvrdolja at nature.Berkeley.EDU
Thu Jun 21 09:54:02 PDT 2001


Hello,
I usually get a few people portscanning the linux box in our lab.  I
follow up by sending an email with part of the log to ther person in
charge of the IP address obtained by fwhois IP at whois.arin.net

In the case below, I got a non-existent email at 3dfx that bounced back to
me.  I called the person in question and they said that 3dfx was bought
over by nvidia.  After 10 minutes on hold with nvidia they actually let me
leave a  voice mail with one of their 'network guys' as the receptionist
called it.

I was wondering if there was any other way of finding out information on
who is the point of contact for a particular domain other than whois?
I've copied part of the log below.  As an aside, I find it an interesting
part of administering a linux system to find out about other compromised
systems used in attacks against me.  One time, a diamond exchange .com
actually had their  sys-admin call me for advice.
Gordon

Active System Attack Alerts =-=-=-=-=-=-=-=-=-=-=-=-=-=
Jun 17 00:34:40 wilfred portsentry[685]: attackalert: SYN/Normal scan from
host: 216.111.123.98/216.111.123.98 to TCP port: 31337 Jun 17 00:34:40

wilfred portsentry[685]: attackalert: Host 216.111.123.98 has been blocked
via wrappers with string: "ALL: 216.111.123.98" Jun 17 00:34:40
wilfred portsentry[685]: attackalert: Host 216.111.123.98 has been blocked
via dropped route using command: "/sbin/ipchains -I input -s 216.111.123.98 -j
DENY -l"





More information about the svlug mailing list