John Allspaw was said to been seen saying:
yes, i have seen a large number of port scans on both work networks and home network space. nothing more crazy then your standard sequential port scan for open 53, 1, 8, etc.
What I'm talking about are not so obvious as a sequential port scan, but rather attempts directed at ports with known exploits against either a IP range or directed at a particular host. Also those hosts being directly targeted are not servers publically known (ie - Domain name servers, mail servers, etc) but those behind the scenes machines that help keep things flowing. Also the fact that even if the ports were open the sites making the attempts would have had no reason to make the connections in the first place. Granted the hardest part is getting any action taken. The times I do find action is taken it seems 9 out of 10 times it's a server which was inappropriately configured and thus compromised and used as a staging area for further attacks. Some of my more enjoyable attempts have been with UUnet whom I'd get a live body on the phone while it's occurring or shortly thereafter and I'm told to send the email with the logs. I send the logs get their lovely automated message then 48 hours later a message stating "we couldn't see anyone on that IP at that time, please check your servers for accurate time". Which I find humorous at the steps I take to ensure my logs are acurate and untampered. To give this more operational purpose. Has anyone found or aware of any good sites with accurate Abuse/Security contact info? I've found a lot of the companies still have telephone numbers listed with the various NICs that are answered by a fax machine or email addresses that bounce. IIRC abuse.net had one for spam contacts but I realize some organizations have two seperate departments to handle spam and network threats. Respectfully, Jeremy T. Bouse UnderGrid Network Services, LLC -- ,-----------------------------------------------------------------------------, | Jeremy T. Bouse - UnderGrid Network Services, LLC - www.UnderGrid.net | | All messages from this address should be atleast PGP/GPG signed | | Public PGP/GPG fingerprint and location in headers of message | | If received unsigned (without requesting as such) DO NOT trust it! | | undrgrid@UnderGrid.net - NIC Whois: JB5713 - Jeremy.Bouse@UnderGrid.net | `-----------------------------------------------------------------------------'