Re: Scans on port 17107
From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: Sat, 26 Nov 2005 14:15:25 -0600
On Fri, 25 Nov 2005, in the Usenet newsgroup comp.os.linux.security, in article
<email@example.com>, Myself wrote:
>This is what I suspect. As I said in my original post, I often get a
>series of hits on some single port (and not any certain one), and I have
>always come to the conclusion that it is from the previous port.
Your ISP (duo-county.com) has a /22 block (1022 IPs) at the point where
you are posting (they have more than that - I see at least 2560 addresses
mentioned), and it sounds as if one of your neighbors in the county is
running a game service or similar. At least the clients are well behaved
and seem to go away after being told "There is no server here". 1366 hits
from 1255 addresses is less than 1.1 packets per address. It also says
that must be a popular game/service ;-)
>However, the number of these did get my attention. I use fwlogwatch and
>it send me an email report. When I opened mutt and saw the report with
>over 1000 lines, I did notice :)
You may want to reconsider your logging strategy, or as Grant suggests in
the other reply I see, rate limit the logging. Your firewall blocked the
connection attempt, and there really isn't that much more that you can do
- again, 1.1 packets per address - are you going to call the Internet
Police? That would be a lot of paperwork to fill out ;-)
>Right. I have no open incoming ports to my knowledge. I've had them
>checked on several of the security sites.
man netstat no need to use a security site, just run 'netstat -tupan'
and find out what is open, but also, which process is the guilty party.
>I have a second list besides /etc/services, and I believe it is from
>there.. It dates back to 2002 (could update), but I check with it in
>addition to /etc/services.
Services aren't added that often. I replace my copy every six months,
and the differences are often just contact name changes.
>True. But often it can give you a clue to what it might be.
I'm on 24/7 cable in addition to having dialin. You get used to this
constant noise. As long as you block it, that's all that matters. In
addition, the actual service that a connection may be looking for is
rarely the one listed in official lists - thank you microsoft for
keeping skript kiddiez busy re-writing malware around the world.
>Did two of my original posts show up on the list? For some reason, I got
>two, showing a difference of 2 seconds, I believe...
The news server at Bluegrass Network is putting message id and time
stamps on it - looks like they think they got two copies about a second
apart. I don't use Pan, but the news tools I'm used to have a "Are you
sure you want to post this crap" switch each time I post to reduce the
possibility of multi-posts.