[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Same IP scan again and again and again
- Subject: Re: [cobalt-security] Same IP scan again and again and again
- From: "Dave's List Addy" <listonly@xxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 15 Jul 2003 12:33:07 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
On 7/15/03 11:59 AM, "Graeme Fowler" wrote:
> Not necessarily...
>
> This could well be a client of yours, or a client of a client, or a
> regular visitor to a single website on your machine. Or someone who
> sends email to someone using your machine for email (you get the idea).
>
> Before anybody runs off saying "but that's a WINDOWS PORT!", hear me
> out: older, slightly more brain-dead windows versions - I forget which,
> exactly, but ISTR 95, 98, 98se and ME as culprits - often tried to
> prefix every TCP connection with a NetBIOS namelookup attempt. This was
> frequently because they couldn't determine the difference between local
> and non-local remote hosts, or were misconfigured to specifically
> attempt DNS using NetBIOS before doing anything else.
>
> It could, just as easily, be someone scanning you: but if they keep
> hitting a non-operational port, what do you have to worry about?
>
> There is no need, whatsoever, for you to monitor port 135, unless you're
> running services upon it. Doing so is a little like keeping an eye on a
> specific brick in the wall of your house, just in case someone tries to
> chisel the mortar out and look through the hole.
>
> I'd look through your mail logs and see if that IP address features in
> there at all. I'll wager you'll find POP3 connections from it, every
> fifteen minutes, for hours on end.
Great reply, helped me understand a bit more on the port scans we see all
the time. Thanks!!
--
Thanks!!
David Thurman
List Only at Web Presence Group Net