On Tue, 21 Dec 2004 21:00:29 -0500, Buck Turgidson wrote:
> I faithfully check my linux logs everyday for hacking attempts. However,
> until today, I never checked my router logs. I was surprised to find that I
> someone rattles a doorknob here about 3 or 4 times an hour.

Pretty slow rattling.

> I am curious if the frequency of attempts is normal?

Going to depend on malware of the day.

You want plots and graphs, http://www.dshield.org/

> How do they get IP addresses?

Do you mean 68.100.188.19

> I know they can pull it from the headers of this email,

This is not an email, it is a usenet post.

> but do they go mining for this info

Hey, kick up something like leafnode, and the posts can be run
through a filter to snarf your ip address.

> Do they pass around hit lists?

If they did, I would bet they would be caught a lot quicker.

> Most of the
> attempts seem to come from the Pacific Rim. Should I force an IP address
> change, and use a web-based newsgroup front-end, and protect my IP address?

Nope, some of the malware will infect a pc, the malware will then
hunt on that node's network then start hunting farther in the same
network.

> Sorry for all the questions. I am just a little unnerved at all the
> doorknob rattles.

Here is an 11 day tally of the ones I do not even bother to see in my
logs, they are thrown into the bit bucket.

Chain blacklst (2 references)
pkts bytes type port
17 860 tcp dpt:21
12 576 tcp dpt:25
182 8831 tcp dpt:80
6 288 tcp dpt:901
45 2164 tcp dpt:1023
290 13996 tcp dpt:1025
908 759K udp dpts:1026:1029 <=== port range
95 38380 udp dpt:1434
259 12472 tcp dpt:1433
2 88 tcp dpt:1521
60 2928 tcp dpt:2082
262 12636 tcp dpt:2745
138 6676 tcp dpt:3127
45 2144 tcp dpt:3128
11 532 tcp dpt:3389
87 4180 tcp dpt:3410
14 668 tcp dpt:4000
502 24396 tcp dpt:4899
70 3376 tcp dpt:5000
123 5924 tcp dpt:5554
149 7168 tcp dpt:6129
129 6200 tcp dpt:9898
53 2552 tcp dpt:12345
4 192 tcp dpt:17300
18 864 tcp dpt:27374
3 144 tcp dpt:65506