Koozali.org: home of the SME Server
Legacy Forums => General Discussion (Legacy) => Topic started by: Charlie on March 16, 2004, 09:41:58 PM
-
I'm getting a ton of this in my messages log. Is this a port scan?
Mar 16 10:40:50 pluto kernel: denylog:IN=eth0 OUT= MAC=00:40:05:0a:20:0f:00:a0:c8:0b:be:8e:08:00 SRC=203.10.23.28 DST=68.78.95.2 LEN=390 TOS=0x00 PREC=0x00 TTL=113 ID=12646 PROTO=UDP SPT=31987 DPT=1026 LEN=370
Mar 16 10:41:58 pluto kernel: denylog:IN=eth0 OUT= MAC=00:40:05:0a:20:0f:00:a0:c8:0b:be:8e:08:00 SRC=68.78.67.78 DST=68.78.95.2 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=36191 DF PROTO=TCP SPT=4263 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0
Mar 16 10:42:01 pluto kernel: denylog:IN=eth0 OUT= MAC=00:40:05:0a:20:0f:00:a0:c8:0b:be:8e:08:00 SRC=68.78.67.78 DST=68.78.95.2 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=36319 DF PROTO=TCP SPT=4263 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0
Mar 16 10:42:07 pluto kernel: denylog:IN=eth0 OUT= MAC=00:40:05:0a:20:0f:00:a0:c8:0b:be:8e:08:00 SRC=68.78.67.78 DST=68.78.95.2 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=36506 DF PROTO=TCP SPT=4263 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0
Mar 16 10:46:44 pluto kernel: denylog:IN=eth0 OUT= MAC=00:40:05:0a:20:0f:00:a0:c8:0b:be:8e:08:00 SRC=68.77.146.172 DST=68.78.95.2 LEN=64 TOS=0x00 PREC=0x00 TTL=121 ID=35791 DF PROTO=TCP SPT=1835 DPT=135 WINDOW=65535 RES=0x00 SYN URGP=0
Mar 16 10:59:21 pluto kernel: denylog:IN=eth0 OUT= MAC=00:40:05:0a:20:0f:00:a0:c8:0b:be:8e:08:00 SRC=68.78.33.154 DST=68.78.95.2 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=52568 DF PROTO=TCP SPT=4120 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Mar 16
-
NO
these are all (but 1) addressed to Port 135 (DPT=135).
Your neighbours, namely
203.10.23.28
68.78.67.78
68.77.146.172 and so on
still got some "LOVESAN" or "BLASTER" worm food for you. :hammer:
Nothing to worry really.
We all get them and your firewall proves it's working.
Worry if you see a series of DPT= from one source SRC=_same_ip ... that could be a scanner.
Enjoy :pint: