LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 12-02-2003, 09:47 AM   #1
ghight
Member
 
Registered: Jan 2003
Location: Indiana
Distribution: Centos, RedHat Enterprise, Slackware
Posts: 524

Rep: Reputation: 30
Port Scan on 135


On November 26th at 1:01am to 12:01am on November 27th, I received 483 separate IP addresses attempting to scan my server on port 135. I've been looking at all the sites I can to get an idea what was going on, but I have come up empty. Did anyone else notice this?

On a brighter note, Portsentry saved the day and blocked each and every attempt. Would anyone like to help me throw together an open source Antivirus package to help these Windows newbies keep their infected computers from killing our servers?
 
Old 12-02-2003, 11:54 AM   #2
TheIrish
Member
 
Registered: Oct 2003
Location: ITALY
Distribution: Debian, Ubuntu, Fedora
Posts: 137

Rep: Reputation: 15
Quote:
On November 26th at 1:01am to 12:01am on November 27th, I received 483 separate IP addresses attempting to scan my server on port 135. I've been looking at all the sites I can to get an idea what was going on, but I have come up empty. Did anyone else notice this?
Did you find it so strange? It actually is a common situation for everybody, especially if your IP is static or well known related to a DSL service.
My Debian Server sometimes can reach over 30,000 scans a day...
The sources of this traffic can be different.
1. real scans (and believe me, there are many of them)
2. Open proxies
3. worms and virus which try to DoS through a compromised machine

In all cases you can't do anything but filter.
If you want to help Micro$hit users to protect from worms and virus you could use
http://sourceforge.net/projects/weasel32/
and
http://sourceforge.net/projects/openantivirus/
and many others
 
Old 12-02-2003, 12:16 PM   #3
ghight
Member
 
Registered: Jan 2003
Location: Indiana
Distribution: Centos, RedHat Enterprise, Slackware
Posts: 524

Original Poster
Rep: Reputation: 30
I understand what you are saying, but this IS unusual for me. This server has been up for over 2 years now and the most I have gotten in one day before then was 2. To jump up to close to 500 then back down to none since I think is more than a little abnormal. Because the timing is so precise, I would speculate that a virus had something to do with it. That's why I thought it was so wierd that nothing was ever reported. If they weren't dynamically blocked, it would have most definitely brought the server to a grinding halt.
 
Old 12-02-2003, 03:50 PM   #4
TheIrish
Member
 
Registered: Oct 2003
Location: ITALY
Distribution: Debian, Ubuntu, Fedora
Posts: 137

Rep: Reputation: 15
Quote:
the most I have gotten in one day before then was 2.
actually, this looks weird, but it this case, well, probably you're right about a virus or (even worse), a broken proxy. You should have a look at the range of IPs for broken proxies and warn the sysadmin of that proxy or provider.
 
Old 12-03-2003, 11:59 PM   #5
zaphodiv
Member
 
Registered: Oct 2003
Distribution: Slackware
Posts: 388

Rep: Reputation: 30
>To jump up to close to 500 then back down to none since I think is more than a little abnormal.

My guess is that your isp blocks port 135 and they removed the filter for a day. 500 connection attemps a day is normal.
 
Old 12-15-2003, 08:56 AM   #6
ghight
Member
 
Registered: Jan 2003
Location: Indiana
Distribution: Centos, RedHat Enterprise, Slackware
Posts: 524

Original Poster
Rep: Reputation: 30
Hmmm,...I got 461 portscans on the Dec 10th only this time it was from 6am to 6pm exactly! Every two weeks on Wednesday I get a huge portscan volume on port 135. About half were from the same address as last time.

I can't believe I'm the only one that gets this. I guess I'll let you know on Christmas Eve if it happens again.
 
Old 12-15-2003, 12:40 PM   #7
core
Member
 
Registered: May 2003
Location: Berlin
Distribution: Slackware 9.1 Kernel: 2.6.4
Posts: 60

Rep: Reputation: 15
Code:
grep -c DPT=137 /var/log/syslog  
643
I just don't care about those windows share stuff on port 137.. I have linux, and hijacked/infected windows boxes on the internet are broadcasting on that port ... gotta live with it.. but in fact .. all it does here is filling up my harddisk with iptables logs
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
port scan. bruse Linux - Networking 1 10-23-2005 05:41 PM
mysqld running and reading for connections on port 3306, no port 3306 found from scan darkenigmaa Linux - Networking 7 09-21-2005 10:10 AM
TCP packets port 135,137,138,139 Gilion Linux - Networking 1 10-27-2003 09:11 AM
port scan Tigger Linux - Security 18 06-08-2003 05:44 PM
Port scan luser Linux - Networking 4 10-11-2002 01:37 PM


All times are GMT -5. The time now is 03:18 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration