Re: What's the current thinking on portmapper probes?

[UnixGeek <ed () XWING CENTIGRAM COM>]

Moreso than the polite heads-up, many times I find port 111 scans from
supposedly "secure" Linux boxes(honestly, mostly RH 6.X these days) or
from the admitted "test box".

I have to say that lately, with an increase of scan activity against my
subnets, I'm getting a bit weary of taking the friendly, professional
approach, and feel like telling some of these people what idiots they are.
*sigh*



 On Tue, 1 Aug 2000, Richard Johnson wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> At 22:04 -0600 on 07/30/2000, John Pettitt wrote:
> > I've had a couple of portmapper probes in the last two days - it's not
> > going to get them anywhere because I don't run portmapper.  However I was
> > wondering what the current thinking on this is - is it worth notifying the
> > owners and/or isp for the source machine?
>
>
> Many sites appreciate a polite heads-up warning about the scan originating
> from their neighborhood, if you have the time to send one.  'Sorry to be the
> bearer of bad news, but you might have a problem...' is a good way to do it.
>
> Just be sure to include details in your report, including timestamps with time
> zone info and enough log detail to show the scan really happened.  Reports
> like 'you have an intruder on one of your machines but I'm not going to tell
> you which one or that I really only saw one packet' are useless. ;-)
>
>
> Richard
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.5.2
> Comment: www.europarl.eu.int/dg4/stoa/en/publi/166499/execsum.htm
>
> iQA/AwUBOYeysWKSuJuuNAZUEQLIvACeNZKxVY7VolXzYctZHWaJIluSo1QAoKCa
> PYgAm8aCskWWKbXKyXZ9EDwn
> =DfUZ
> -----END PGP SIGNATURE-----