[plug] Active response IDSs?
Craig Ringer
craig at postnewspapers.com.au
Sat Aug 3 14:06:58 WST 2002
>
>
>>hmm... no go from google *grin*
>>Perhaps its a misconfigured tool or maybe a port pulled out of a hat
>>that the source is using on the assumption that its _not_ special, say
>>to check how/if the host firewalls high ports w/o listening servers?
>>just guessing here, knowledge of this specific case == nil. Hell, maybe
>>its a type^Ho.
>>
>>
>
>Well they were pretty insistent, a couple of hundred attempts over 3 hrs
>or so. I thought it might be some back orifice type of thing. I checked
>google as well and came up empty... Something weird :).
>
You've probably nailed it there - especially if your network is on a
dynamic IP.
They're porobably trying to connect to a previously-installed backdoor
somewhere
and have forgotten the IP, its moved (if you'd on DHCP-assigned IPs), or
maybe they
emailed a friendly outlook exploit + backdoor to you sometime, you
barely even noticed,
and now they're trying to see if it worked? That'd explain it, as its
quite likely most of those
nasties have configurable listen ports, etc.
More information about the plug
mailing list