Re: ISP keeps connecting to my port 445

From: Copelandia Cyanescens (synesthesia_at_ix02x67invalid.net)
Date: 09/28/04 

Date: Tue, 28 Sep 2004 00:15:05 +0000

GJ wrote...

>> been or could be compromised. It may be they've had a problem and are
>> doing just that, but it would seem a little odd to me because known
>> viruses like Korgo that use this service to spread do so from other
>> ports *to* port 445 as far as I'm aware. I may be mistaken, and it may
>> vary from one virus/variant to another. Scanning remote port 445 may
>> tell them who is vulnerable, but not who is infected if my memory is not
>> faulty...???
>
> I think an ISP would use a honeypot for checking customers. Then you
> could also see by the type of connection and the data transferred if the
> connecting computer is infected or not.

Honestly, I think that would be a waste of resources. :)

The problem with a honeypot scenario is that it assumes an infected
machine will try to infect a pretty obscure target. Most, if not all of
our modern day "worms" reach out across the net randomly. The chances of
a specific IP being probed from within the relatively small IP block an
ISP owns are miniscule at best. There may be some that do it, but I'd
think it was more as a general "public service" than any customer
assistance thing.

Better to actively scan your IP block looking for suspicious holes, or
even "sniffing" traffic moving across your wires I'd say, if you're
targeting your customers.

>> I would contact Reliance India. They may be able to offer a valid
>> explanation. They may also have a machine(s) infected with something
>> like Korgo and not know it. You should block the traffic regardless,
>> which as you say your firewall already does. :)
>>
> You can conntact the ISP, but i think it's a waste of time. Often, you

Actually, I've had pretty good luck with ISP's. Maybe it's just me. I
run Snort quite a bit just for giggles more than anything else, and I'll
occasionally feel motivated to rdns an "abuse" address and fire off an
email. Maybe 5 or 10 a week. I'd say somewhere around 70% to 75% result
in a human reply. Maybe I'm just lucky, or psychic enough to pick the
right addresses. <g>

I like to random scan the web looking for odd sites too... usually by IP
blocks allocated to a specific country, but sometimes completely at
random. You'd be surprised at how many wide open routers and printers I
stumble across. ;) I'd say that when I take the time to mess with a
"heads up" note I get about a 95% reply to those. Of course with
printers at least it's a god chance I'm emailing a specific company
representative in the first place.

> don't even get a reply. Just look at what ports you need to have open,
> and close the rest of them.

I'll have to agree for the most part. An average user probably cares
very little about what happens outside their own house. Lock it down and
forget about it. Still, it doesn't hurt to suggest, or even try if it's
*your* ISP that might be suffering. They may be grateful enough to give
you a t-shirt or something. ;-) 

-- 
It is common sense to take a method and try it. If it fails, admit
it frankly and try another. But above all, try something.
                                          -- Franklin D. Roosevelt