Re: correlation between porscans and local activity

[ssh () SHN NU (Sean Sosik-Hamor)]

On Sun, 2 Jan 2000, Thomas Molina wrote:

# Is this just a wild guess on my part or am I just now noticing
# something blindingly obvious to everyone else?

Blinding flash of the obvious.  <grin>  I originally noticed this
behavior a few years ago when I ran redbox.newhackcity.net, a shell
machine and Web server for the Boston white hat hacker community (now
l0pht.com, hackernews.com and cultdeadcow.com).  I was noticing
increased attacks coming in bursts from dozens of different IPs.  I
thought it was strange, so I started sniffing.

Here is what I noticed...a short stream of outbound traffic on TCP
6667 followed by a random inbound DOS or attack of some sort.  I
immediately knew the issue.  One of my users was using EFNet IRC
(Internet Relay Chat) on #hack, #phreak and #2600 and taunting some of
the riffraff.  Every time this person was IRCing, we started getting
attacked.

This wasn't the only case...sometimes we'd be attacked after I or one
of my users fingered a remote host (usually a Linux box sitting on a
cSL/IP or PPP connection).  Ditto for FTP...log in anonymously to a
box, and instantly get a scan back from that box.

So, the general rule is, sooner or later, you'll get hit by an
automated scan.  If you broadcast your presence and use ICQ, IRC,
etc., you'll get hit sooner by a manual scan.

/Sean/