Any known nastiness with these ports?

MadCactus · 08-17-2003, 02:23 PM

I've noticed the following hits on my firewall, is there a perfectly good explanation for why these packets are finding their way to my PC, or are there exploits/hacks associated with them? I've omitted the countless hits on ports 135, 137, and 445 (MS.Blaster

- shouldn't my ISP be blocking these?)

And also, wtf is SOCKS and AFT? Sounds a bit dodgy to me...

218.187.136.162 DPT=25 TCP - SMTP (my ISP doesn't supply an SMTP server...)
139.142.95.243 DPT=1433 TCP - Microsoft-SQL-Server.
218.2.141.142 DPT=445 TCP - Microsoft-DS
172.148.42.247 DPT=1080 TCP - SOCKS (Authenticated Firewall Traversal)
61.232.23.227 DPT=1434 UDP - Microsoft-SQL-Monitor
68.200.92.119 DPT=17300 TCP - ?

cheers
M

yocompia · 08-17-2003, 02:35 PM

about the broadcasts on port 137, this is in the range for microsoft networks (135:139) and this usually sends UDP packets. that port is "defaulted" to the netbios name service, which might have to do w/ the microsoft network stuff. that's all i've got.

gl,
y-p

MadCactus · 08-17-2003, 02:39 PM

I've noticed the following hits on my firewall, is there a perfectly good explanation for why these packets are finding their way to my PC, or are there exploits/hacks associated with them? I've omitted the countless hits on ports 135, 137, and 445 (MS.Blaster

- shouldn't my ISP be blocking these?)

And also, wtf is SOCKS and AFT? Sounds a bit dodgy to me...

218.187.136.162 DPT=25 TCP - SMTP (my ISP doesn't supply an SMTP server...)
139.142.95.243 DPT=1433 TCP - Microsoft-SQL-Server.
218.2.141.142 DPT=445 TCP - Microsoft-DS
172.148.42.247 DPT=1080 TCP - SOCKS (Authenticated Firewall Traversal)
61.232.23.227 DPT=1434 UDP - Microsoft-SQL-Monitor
68.200.92.119 DPT=17300 TCP - ?

cheers
M

2damncommon · 08-17-2003, 02:45 PM

If you are on a dynamic IP it is possible that some of the hits could be an error in attempting to reach the PC that previously had that IP.
That said, someone attempted to connect to the mail server on your computer, and most the others are M$ vulnerabilities. I am not sure what the SOCKS thing is but I see it often also.

Mathieu · 08-17-2003, 02:52 PM

Quote:

445 (MS.Blaster - shouldn't my ISP be blocking these?)

No, because windows 2000/2003/XP use port 445 for SMB.
Your ISP will never block any ports.

Ports 135, 137 and 139, these are NETBIOS ports.
Again, windows ports.

As for the other ports, if you get many hits, it is possible someone (or some worm) is trying to connect.
There are a few worms that attack Microsoft's SQL server.

Again windows.

Setup your firewall to block external connections to these ports,
and have faith in Linux.

Mathieu · 08-17-2003, 03:07 PM

Double Post.
http://www.linuxquestions.org/questi...threadid=82880

yocompia · 08-17-2003, 04:23 PM

bizzzzaaaaaaaaarrrrre

tobyl · 08-17-2003, 05:22 PM

I was getting several hits on 17300 as well, so I looked it up.
It is the backdoor for the kuang2 trojan.
Affects W95 & W98
Bored kids I guess.

unSpawn · 08-17-2003, 06:27 PM

//moderator.note: merged threads w/o mercy. Don't double-post. Watch your triggerfinger.

Btw, since it's clear by now "the rest" is targetted at MICROS~1 boxen, the only thing you need to worry about is your MTA. If you don't do POP3/IMAP elsewhere and you need to *receive* mail directly, make sure you've taken the right precautions to harden the MTA. If OTOH you need to only *send* email, then disable your MTA, cuz running the daemon then aint necessary.

MadCactus · 08-22-2003, 04:54 PM

Oops begging your pardon for the dp - all those MS worms are eating my bandwidth!

All those packets are dropped and I don't use POP3/IMAP/SMTP at all. Was just curious - thanks for the tips.

I can sleep safely now