[Dshield] Question

Johannes B. Ullrich jullrich at euclidian.com
Tue Jul 10 12:24:27 GMT 2001

> I've noticed that I've been getting  probes from workgroups,what's up with =
> that?Like RPC TCP port probe,
> FTP port probe,SMTP port probe & HTTP port probe.

> My Zone Alarm isn't catching them,but Black Ice is.

The probes you are seeing are likely the 'usual' random scans for 
vulnerable machines. For a quick rundown:

- RPC: Lots of older Unix systems can be taken over using this attack. 
There are plenty of automated scripts for it.

- FTP: similar to RPC. However, in adition to just taking over a machine 
warez traders may be looking for an unprotected ftp server for their files.

- SMTP: Most likely spamers looking for open mail servers to use as 
relays for their spam

- HTTP: Basically all but the latest version of Microsofts Internet 
Information server allow attackers to take over a machine using IIS. I 
would guess that you see scans looking for these. Also, some people look 
for open proxy servers to use as springboards for such attacks.

Are you running BlackIce and ZoneAlarm on the same machine? That could 
be a bad idea. It is usually bad to run more than one firewall at any 
time as they may inrefer with each other.

jullrich at sans.org                    Join http://www.DShield.org
                                      Distributed Intrusion Detection System

More information about the list mailing list