RE: Detected NMAP scan

["Frank W. Keeney" <FKeeney () hsa com>]

I get scanned at least ten times a week!

With the 1.x versions of nmap, Linux ipfwadm successfully logged all
stealth scans in my lab.

        ----------
        From:  Lamont Granquist
[SMTP:lamontg () raven genome washington edu]
        Sent:  Wednesday, January 06, 1999 12:40 PM
        To:  nmap-hackers () insecure org
        Subject:  Detected NMAP scan


        So, on Jan 3rd a machine that I admin got scanned, and with the
ipfw.c
        hack that I posted previously, I recorded the following packets,
        suggesting that it was someone with nmap2.  I thought I'd post
it here as
        a sighting of nmap "in the wild":

        Jan  3 04:16:14 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP
148.81.145.199:62233 192.168.0.1:80
        Jan  3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8
148.81.145.199 192.168.0.1
        Jan  3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8
148.81.145.199 192.168.0.1
        Jan  3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8
148.81.145.199 192.168.0.1
        Jan  3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP
148.81.145.199:62234 192.168.0.1:80
        Jan  3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP
148.81.145.199:62235 192.168.0.1:80

        I've also identified people doing SYN scans of port 635 which is
where
        mountd often/normally resides on a linux system.