Thou spake:
>I was looking at the log on my SMC firewall, and I couldn't help
>but notice that for the 174 or so entries that it can hold, that 169
>of those are scans on port 135. In the 99 minutes that the log
>currently holds, that's 17 scans per minute. DOH! Is my IP address
>just a lucky honey-covered bullseye, or are y'all seeing the same
>sort of activity? This is _WAY_ worse than average. Usually,
>I'd see all sorts of scans, such MS SQL Slammer, NFS, telnet,
>and the like. But this drowns them all out. If I could only trade
>this for some telemarketing calls during dinner........
>
>Blasted in Luling,
>
>Andy
I don't get anything on that port, but I'm getting hit hundreds of times with:
ICMP PING Cyberkit 2.2 Windows
Apparently it's a reconnaisance tool used by windows lusers. I'm just letting
snort log it all...
Last night I had someone doing POSTs on a php page on my box several times a
second... the sad part is, the script accepts no form variables... it's only
doing a page counter, reading data from a file on my box. I started dropping
his packets ()iptables -A INPUT -s $IP -j DROP... hopefully he'll leave me
alone for a while.
My point is, whether a worm or a lamer, your box is going to be blasted by
something or other, 24/7, unfortunately. You might consider dropping packets
with destination port 135, thusly (assuming you're running a 2.4 kernel):
iptables -A INPUT -dport 135 -j DROP
(someone please correct me if I have the syntax wrong...)
Happy hunting!
-- Joey Kelly < Minister of the Gospel | Computer Networking Consultant > http://joeykelly.net "Democracy is two wolves and a lamb voting on what to have for lunch. Liberty is a well-armed lamb contesting the vote." ___________________ Nolug mailing list nolug@nolug.orgReceived on 08/19/03
This archive was generated by hypermail 2.2.0 : 12/19/08 EST