Printable View
No, port scans are not illegal. Actual attempted exploits are, which is what happened in NTSA's example.Quote:
Originally posted here by leadbelly
so let me get this straight...
everytime my zone alarm/visualzone report alerts me to someone trying to scan my box or something like that i can report them....??
i would be a busy guy i think..
Umm, I don't think it's an overflow, it looks like a session identifier. If it is an overflow, that's one hell of a small buffer. You're looking at like, 64 bytes (which, coincidentally is the length of two MD5 sums, which are regularly used for session tracking).Quote:
Originally posted here by ntsa
Does this look like an attempted buffer-overflow attempt to anyone? Am I now dealing with someone a bit more serious or is this another cook-book expoit that I'm unaware of? Opinions? Only one hit in the log so I guess this attempt wasn't up close and personal - so it was probably some sort of vulnerability scanner iterating through an IP range.
IP origonates in Germany - Any ideas before I turn him in?
Normally a buffer overflow attempt will contain unicode strings. Look at the Nimda and CRI & II exploit logs for an example of what I mean. Usually it's like %00%505%203 kinda **** (that could be gibberish, I don't know Unicode that well).
I usually wait till I know the attacker has a static IP before I email the person responsible for the network where the attack came from. I had one IP trying to SSH into one of my Linux boxes the other week and I noticed that he kept it up so I sent a short and sweet email to the admin and lo-and-behold I haven't seen his IP pop up in my logs lately......I think it matters who the admin is on the other side...if he/she is professional they will do something about it since they wouldn't want kiddies messin' with their servers,etc.....
Regards.
Hey NTSA when I first put up my server, I got about 250 hits, which is more than my friend get ins a month, and I got that many in about 2 hour. So I checked the logs and found somebody trying traversal exploits but they used a proxy and I don't think xitami tried to log their IP too hard. Is there any way to trace them back?