[NCLUG] poking port 109
Michael Dwyer
mdwyer at sixthdimension.com
Mon Dec 3 10:17:49 MST 2001
mike cullerton wrote:
> starting yesterday morning, i've received a packet about every twenty
> minutes checking out port 109 on incrementing ip's. ie, the first packet hit
> .1 and about twenty minutes later one came in for .2 and then twenty minutes
> later, .3 and so on. they're all coming from the same ip address.
> it's up around .83 right now.
That is soooo wierd. You confused the hell outta me! I thought I
was reading the Intrusions list at Incidents.org -- Somebody there
was just talking about this one.
> what would y'all do if you saw this on your own network?
Frankly, I usually do just what you do -- block them and ignore them. I
think that maybe in this case, I would report this activity to their
upstream provider (using WHOIS et al to try to find it). Even then,
sending reports to APNIC and EPIC hosts doesn't always work. eg,
sending english notes to Chinese people doesn't always work that well.
One of the largest ISPs in France is right now causing a national
spectical on the Intrusions list because they NEVER seem to act on abuse
complaints. People are contacting the consulate!
Your mileage may, of course, vary.
> there's so much scanning going on these days that i don't even complain to
> upstreams anymore. do y'all? usually, i just deny the packets at the router
> and not even log them.
For what it is worth, 109 is POP2 -- which isn't used all that much...
vulnerable in RH5, I guess. However, you aren't the only person to
notice it. While not high on the lists at DShield, it is still rather
significant:
http://www1.dshield.org/port_report.php?port=109
Incidently, if you submit your logs to DShield, then DSHield will send a
contact note up the chain and will also make note of their intrusion.
That might help. It is certainly easier than chasing it down yourself.
More information about the NCLUG
mailing list