RE: [cobalt-security] Same IP scan again and again and again

["Graeme Fowler" <graeme.fowler@xxxxxxxxxxxxxx>]

Hi

On 15 July 2003 17:40, DNSAdmin wrote:
> I think that is a Windows vulnerability they are trying to exploit?

Not necessarily...

This could well be a client of yours, or a client of a client, or a
regular visitor to a single website on your machine. Or someone who
sends email to someone using your machine for email (you get the idea).

Before anybody runs off saying "but that's a WINDOWS PORT!", hear me
out: older, slightly more brain-dead windows versions - I forget which,
exactly, but ISTR 95, 98, 98se and ME as culprits - often tried to
prefix every TCP connection with a NetBIOS namelookup attempt. This was
frequently because they couldn't determine the difference between local
and non-local remote hosts, or were misconfigured to specifically
attempt DNS using NetBIOS before doing anything else.

It could, just as easily, be someone scanning you: but if they keep
hitting a non-operational port, what do you have to worry about?

There is no need, whatsoever, for you to monitor port 135, unless you're
running services upon it. Doing so is a little like keeping an eye on a
specific brick in the wall of your house, just in case someone tries to
chisel the mortar out and look through the hole.

I'd look through your mail logs and see if that IP address features in
there at all. I'll wager you'll find POP3 connections from it, every
fifteen minutes, for hours on end.

Graeme

Regards

Graeme Fowler
Team Leader - Nottingham
Technical Services

Host Europe PLC