Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
On November 26th at 1:01am to 12:01am on November 27th, I received 483 separate IP addresses attempting to scan my server on port 135. I've been looking at all the sites I can to get an idea what was going on, but I have come up empty. Did anyone else notice this?
On a brighter note, Portsentry saved the day and blocked each and every attempt. Would anyone like to help me throw together an open source Antivirus package to help these Windows newbies keep their infected computers from killing our servers?
On November 26th at 1:01am to 12:01am on November 27th, I received 483 separate IP addresses attempting to scan my server on port 135. I've been looking at all the sites I can to get an idea what was going on, but I have come up empty. Did anyone else notice this?
Did you find it so strange? It actually is a common situation for everybody, especially if your IP is static or well known related to a DSL service.
My Debian Server sometimes can reach over 30,000 scans a day...
The sources of this traffic can be different.
1. real scans (and believe me, there are many of them)
2. Open proxies
3. worms and virus which try to DoS through a compromised machine
I understand what you are saying, but this IS unusual for me. This server has been up for over 2 years now and the most I have gotten in one day before then was 2. To jump up to close to 500 then back down to none since I think is more than a little abnormal. Because the timing is so precise, I would speculate that a virus had something to do with it. That's why I thought it was so wierd that nothing was ever reported. If they weren't dynamically blocked, it would have most definitely brought the server to a grinding halt.
the most I have gotten in one day before then was 2.
actually, this looks weird, but it this case, well, probably you're right about a virus or (even worse), a broken proxy. You should have a look at the range of IPs for broken proxies and warn the sysadmin of that proxy or provider.
Hmmm,...I got 461 portscans on the Dec 10th only this time it was from 6am to 6pm exactly! Every two weeks on Wednesday I get a huge portscan volume on port 135. About half were from the same address as last time.
I can't believe I'm the only one that gets this. I guess I'll let you know on Christmas Eve if it happens again.
I just don't care about those windows share stuff on port 137.. I have linux, and hijacked/infected windows boxes on the internet are broadcasting on that port ... gotta live with it.. but in fact .. all it does here is filling up my harddisk with iptables logs
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.