Re: Scans on port 17107

From: Moe Trin (ibuprofin_at_painkiller.example.tld)
Date: 11/26/05

  • Next message: Allen Kistler: "Re: No WEP/WPA, can VPN substitute?"
    Date: Sat, 26 Nov 2005 14:15:25 -0600
    
    

    On Fri, 25 Nov 2005, in the Usenet newsgroup comp.os.linux.security, in article
    <dm8dv6$qj7$1@bn2.blue.net>, Myself wrote:

    >This is what I suspect. As I said in my original post, I often get a
    >series of hits on some single port (and not any certain one), and I have
    >always come to the conclusion that it is from the previous port.

    Your ISP (duo-county.com) has a /22 block (1022 IPs) at the point where
    you are posting (they have more than that - I see at least 2560 addresses
    mentioned), and it sounds as if one of your neighbors in the county is
    running a game service or similar. At least the clients are well behaved
    and seem to go away after being told "There is no server here". 1366 hits
    from 1255 addresses is less than 1.1 packets per address. It also says
    that must be a popular game/service ;-)

    >However, the number of these did get my attention. I use fwlogwatch and
    >it send me an email report. When I opened mutt and saw the report with
    >over 1000 lines, I did notice :)

    You may want to reconsider your logging strategy, or as Grant suggests in
    the other reply I see, rate limit the logging. Your firewall blocked the
    connection attempt, and there really isn't that much more that you can do
    - again, 1.1 packets per address - are you going to call the Internet
    Police? That would be a lot of paperwork to fill out ;-)

    >Right. I have no open incoming ports to my knowledge. I've had them
    >checked on several of the security sites.

    man netstat no need to use a security site, just run 'netstat -tupan'
    and find out what is open, but also, which process is the guilty party.

    >I have a second list besides /etc/services, and I believe it is from
    >there.. It dates back to 2002 (could update), but I check with it in
    >addition to /etc/services.

    Services aren't added that often. I replace my copy every six months,
    and the differences are often just contact name changes.

    >True. But often it can give you a clue to what it might be.

    I'm on 24/7 cable in addition to having dialin. You get used to this
    constant noise. As long as you block it, that's all that matters. In
    addition, the actual service that a connection may be looking for is
    rarely the one listed in official lists - thank you microsoft for
    keeping skript kiddiez busy re-writing malware around the world.

    >Did two of my original posts show up on the list? For some reason, I got
    >two, showing a difference of 2 seconds, I believe...

    The news server at Bluegrass Network is putting message id and time
    stamps on it - looks like they think they got two copies about a second
    apart. I don't use Pan, but the news tools I'm used to have a "Are you
    sure you want to post this crap" switch each time I post to reduce the
    possibility of multi-posts.

            Old guy


  • Next message: Allen Kistler: "Re: No WEP/WPA, can VPN substitute?"

    Relevant Pages

    • Re: New format for AS3?
      ... Check your news server here. ... I get only 10 hits. ... Of those 10 - two are quite obviosly quit smoking NG's. ... Try the same Web based search from MSN via BING or with Google - you get ...
      (alt.support.stop-smoking)
    • Re: Pipex email authentication problem
      ... I just subscribed to that group and got the most recent 500 headers, ... What news server are you using? ... The only hits I have on ... It's probably some misunderstanding of mine, ...
      (uk.telecom.broadband)
    • what does "::ffff" mean in netstat output?
      ... I've read through the netstat man page, and several pages of Google ... hits for "netstat output", and I can't find an answer to this: ...
      (comp.os.linux.networking)