LinuxSA Mailing list archives

  From: Alan Kennington <akenning@dog.topology.org>
  To  : Mike O <mike@pineview.net>
  Date: Wed, 15 Nov 2000 15:05:44 +1030

Re: Dumps from My PPP link

On Wed, Nov 15, 2000 at 01:08:15PM +1030, Mike O'Connor wrote:
> 
> Has any one go any idea what these packets are trying to do ?


Mike,

They're doing a port 137 scan to see if you have any
machines to hack.

There are two kinds of port 137 packet in my logs files.
First, windows users who are just browsing the net
often emit these packets to try to do reverse address mapping
for one of their legacy proprietary prototols.

But if they are going through in numerical sequence through your IP space,
that's a search for weakly defended windows machines.

It's no risk to your machines - I expect!
But I just report them to their ISP's administrator and half the
time they get their account terminated.
I recommend you do this too.
After all, it's your bandwidth and disk space (for log files)
that they're wasting. And when they do get a victim, that leads
to more serious attacks. 
Think of it like watching people going through a car park trying to
break into a car to commit a crime in. You might not mind that
someone else's car gets stolen, but some day they might use it
to do something which is not to your benefit, so to speak.

Cheerio,
Alan Kennington.

PS. Did you-all see the slashdot item on a linux firewall
in a PCI card?
http://merilus.com/firecard/
I guess this means that the debates about having a separate
firewall machine (which I haven't been following) 
might be resolved in an unexpected fashion.
I guess that even windows users could then all connect to the net
with a linux firewall card instead of a modem card.

-- 
LinuxSA WWW: http://www.linuxsa.org.au/  IRC: #linuxsa on irc.linux.org.au
To unsubscribe from the LinuxSA list:
  mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject