[Dshield] Questions from list newbie

Antti Tolamo Usenet at linux.tola.org
Fri Jun 21 00:50:17 GMT 2002


Viestissä Torstai 20. Kesäkuuta 2002 10:08, kirjoitit:
> Hi..
>
> I'm new to this list, and I signed up for the fight back feature where I
> can send my zone alarm logs in.
>
> Do I send the log as an attachment, or, just copy & paste into the email?

Copy & paste is always a good idea.

> Also... it says to send relevant log excerpts.  I don't mean to sound
> stupid, but how do I know which ones are relevant (hacker related) and
> others are just background noise?

Well, you can't.. You can't deduct from a firewall log easily
are you target of some attemp or just a target of scan among many,
 
Only way you know  diffrence when someboduy repeadetly tries to do something
or the attack has some concrete effect you can't ignore.
if neither is true, then I'd say it is just a guess what scans mean.

> I also have a question about numerous hits on port 1214.  I know this port
> is used for Kazaa file sharing, but, I don't use Kazaa or Gnutella,
> audiogalaxy.... none of them. 

Do you have a dynamic IP? If you have, then it can be that previous
user used it and you get 'left overs'. There can also be an exploit
in Kazaa that explains it, but I wouldn't know.

> I've also read something about if someone
> else on my ISP had my IP address and was using Kazaa before I signed on, I
> could get hits to this port.  But, I have DSL and it's almost always on. 
> Wouldn't my IP address remain the same for the duration of my connection?

Depends. It should stay same long if one is long online, however IP addresses 
are known to change after a while with certain ISPs.  How often depends on 
ISP..

 I don't  really know, but I guess it could be that some ISP's change IP's 
often enough to make keeping of servers difficult. Servers usually mean more 
traffic, and more machines broken into that can send spam, viruses or sca 
other vulnerable machines nearby.. Otherwords more costs to ISP's

 Here atleast some ISP's have blocked certain ports  and made clear that 
servers can't be kept unless owner upgrades to more expensive connection.

Antti

> Pardon my ignorance, but I'm trying to learn more about all of this :)

> I aprecieate any feedback.
>
> Thanks a bunch,
>
> Mercy




More information about the list mailing list