Re: [cobalt-security] Same IP scan again and again and again

["Dave's List Addy" <listonly@xxxxxxxxxxxxxxxxxxxx>]

On 7/15/03 11:59 AM, "Graeme Fowler" wrote:

> Not necessarily...
> 
> This could well be a client of yours, or a client of a client, or a
> regular visitor to a single website on your machine. Or someone who
> sends email to someone using your machine for email (you get the idea).
> 
> Before anybody runs off saying "but that's a WINDOWS PORT!", hear me
> out: older, slightly more brain-dead windows versions - I forget which,
> exactly, but ISTR 95, 98, 98se and ME as culprits - often tried to
> prefix every TCP connection with a NetBIOS namelookup attempt. This was
> frequently because they couldn't determine the difference between local
> and non-local remote hosts, or were misconfigured to specifically
> attempt DNS using NetBIOS before doing anything else.
> 
> It could, just as easily, be someone scanning you: but if they keep
> hitting a non-operational port, what do you have to worry about?
> 
> There is no need, whatsoever, for you to monitor port 135, unless you're
> running services upon it. Doing so is a little like keeping an eye on a
> specific brick in the wall of your house, just in case someone tries to
> chisel the mortar out and look through the hole.
> 
> I'd look through your mail logs and see if that IP address features in
> there at all. I'll wager you'll find POP3 connections from it, every
> fifteen minutes, for hours on end.


Great reply, helped me understand a bit more on the port scans we see all
the time. Thanks!!
-- 
Thanks!!
David Thurman
List Only at Web Presence Group Net