Hacking Attempts

Buck Turgidson wrote:
> I faithfully check my linux logs everyday for hacking attempts. However,
> until today, I never checked my router logs. I was surprised to find that I
> someone rattles a doorknob here about 3 or 4 times an hour. My router
> doesn't list times ,stupidly enough, but it is very frequent. They appear to
> be interested in ports 4899 and 1026 which seem to be MSFT remote access
> ports.
>
> I am curious if the frequency of attempts is normal? How do they get IP
> addresses? I know they can pull it from the headers of this email, but do
> they go mining for this info? Do they pass around hit lists? Most of the
> attempts seem to come from the Pacific Rim. Should I force an IP address
> change, and use a web-based newsgroup front-end, and protect my IP address?

Very normal. You can actually see who owns what ip ranges by going to
http://www.flumps.org/ip/

it shows who owns what blocks from Class A to Class C addresses. I
actually used to be in a group of dumb ass kids who scanned ip addresses
(mainly just looking for NT boxes and any ftp sites with write access)
and then 'hacked' them and used them to run ftp sites off of there own
hard drives.. but then i grew up :) I realized i probablly wouldnt want
this to happen to me or someone i knew so I got out of it.

Anyway, the scanners look for blocks usually owned by universities
(because they have lots of very fast computers with hard drive space
just asking to be taken over by someone. why else would u make a admin
account with NO PASSWORD!!!:)) or big ISP's like verizon, comcast,
pacbell because they know theres gonna be a lot of people who dont know
anything about security running all sorts of things that are easily
comprimised.

belive it or not, there are thousands of people at this very moment
scanning everything from 1.1.1.1 to 223.255.255.255 (the end of Class C)
and they will continue to do so until people start securing there own
boxes, and quit doing things like installing IIS, run Windows NT4, run
ftp servers with /w write access and a fast connection :)

In article <_7RBd.806$385.366@fe77.usenetserver.com>,
Richie086@usenetserver.com wrote:

> You can actually see who owns what ip ranges by going to
>http://www.flumps.org/ip/

That page (which is a mirror of www.ipindex.net) is extremely out of date,
and rather limited in the information it provides. You would be much better
served by using 'whois' and query the RIR that issued the IP blocks. As of
News Years Day, there were 65948 IP ranges assigned.

>it shows who owns what blocks from Class A to Class C addresses.

Of those 65948, 26417 are not /8, /16 or /24s. See RFC1466, RFC1517, RFC1518,
and RFC1519 which date from 1993. We haven't been using "Class A to Class C"
for a while. You can get RFCs from

http://www.ietf.org/rfc/rfc0000.txt
http://www.faqs.org/rfcs/rfc0000.html
http://www.rfc-editor.org/rfc/rfc0000.txt
http://www.ccd.bnl.gov/network/general/rfc0000.html
http://www.cis.ohio-state.edu/htbin/rfc/rfc0000.html

Replace the four zeros with the four digit document number.

>Anyway, the scanners look for blocks usually owned by universities
>(because they have lots of very fast computers with hard drive space
>just asking to be taken over by someone. why else would u make a admin
>account with NO PASSWORD!!!:)) or big ISP's like verizon, comcast,
>pacbell because they know theres gonna be a lot of people who dont know
>anything about security running all sorts of things that are easily
>comprimised.

A lot of the scans now are looking for open boxes to be used as spam zombies.

>belive it or not, there are thousands of people at this very moment
>scanning everything from 1.1.1.1 to 223.255.255.255 (the end of Class C)

Actually, the majority of these idiots are 31337 skript kiddiez who wouldn't
know what an IP address is, but are using toolz that know not to waste time
scanning IP blocks that are not allocated (like 1.0.0.0/8, or 223.0.0.0/8),
or 89.0.0.0 through 128.0.255.255 (as examples).

http://www.iana.org/assignments/ipv4-address-space

Old guy