[CLUE-Talk] Clue: WARNING! Goverment starting OS Probes! -UPDATE

[Dave Anselmi]

Richard Knechtel wrote:

> I have now had 5 of these probes. Also my Cisco675 did a couple of UDP port
> probes on my system. This is AFTER I ran the CBOS upgrade QWEST recomedend
> as part of the "code red worm permanant fix."

Are you port forwarding through the cisco?  Are any of its services (web, tftp,
telnet) accessible from the outside (wan0)?  You might turn off any servers you
aren't using and block the rest from the outside (check the archives for the link
to qwest.net that covers this).

> Geektools WHOIS shows:
>
>                         Sprint/United Information Service (NET-SPRINT-INNET9)
>                            13221 Woodland Park Road
>                            Herndon, VA 22071
>                            US

It's no surprise to me that Sprint owns a big block of IPs.  Or that they are in
Herndon along with Oracle, TRW, AOL, EDS, and mae-east.  If you really think a
government agency is probing you, ask youself why they are letting you know that
they are the government.

> Anyone else run the Cisco675 CBOS upgrade and had unsual things reported by
> there firewalls and such?

Unfortunately, I don't have a good sniffer on my network.  But I have been
getting some UDP traffic into my win box - it seems to be DNS related during a
slow lookup.  Unfortunately I've switched ISPs and upgraded CBOS at the same
time, so I can't tell what the culprit might be.

Dave