Johannes B. Ullrich
jullrich at euclidian.com
Tue Jul 10 12:24:27 GMT 2001
> I've noticed that I've been getting probes from workgroups,what's up with =
> that?Like RPC TCP port probe,
> FTP port probe,SMTP port probe & HTTP port probe.
> My Zone Alarm isn't catching them,but Black Ice is.
The probes you are seeing are likely the 'usual' random scans for
vulnerable machines. For a quick rundown:
- RPC: Lots of older Unix systems can be taken over using this attack.
There are plenty of automated scripts for it.
- FTP: similar to RPC. However, in adition to just taking over a machine
warez traders may be looking for an unprotected ftp server for their files.
- SMTP: Most likely spamers looking for open mail servers to use as
relays for their spam
- HTTP: Basically all but the latest version of Microsofts Internet
Information server allow attackers to take over a machine using IIS. I
would guess that you see scans looking for these. Also, some people look
for open proxy servers to use as springboards for such attacks.
Are you running BlackIce and ZoneAlarm on the same machine? That could
be a bad idea. It is usually bad to run more than one firewall at any
time as they may inrefer with each other.
jullrich at sans.org Join http://www.DShield.org
Distributed Intrusion Detection System
More information about the list