Hi everyone, Since the 6th of april I am getting quite a lot of scans to port 113 from various ports 4331 4629 46409 46413 46422 and 1085 . I was able to find 1085 which is webobjects but the others I could not find any info. Can some one guide me what are these for or are they trojan ports TIA Apr 6 22:41:16 gardiyan kernel: Packet log: input DENY eth1 PROTO=6 212.45.64.105:4331 212.156.196.226:113 L=60 S=0x00 I=21011 F=0x4000 T=59 SYN (#22) Apr 6 22:41:19 gardiyan kernel: Packet log: input DENY eth1 PROTO=6 212.45.64.105:4331 212.156.196.226:113 L=60 S=0x00 I=21030 F=0x4000 T=59 SYN (#22) Apr 6 22:41:25 gardiyan kernel: Packet log: input DENY eth1 PROTO=6 212.45.64.105:4331 212.156.196.226:113 L=60 S=0x00 I=21034 F=0x4000 T=59 SYN (#22) Apr 6 22:41:37 gardiyan kernel: Packet log: input DENY eth1 PROTO=6 212.45.64.105:4331 212.156.196.226:113 L=60 S=0x00 I=21039 F=0x4000 T=59 SYN (#22) Apr 6 23:11:16 gardiyan kernel: Packet log: input DENY eth1 PROTO=6 212.45.64.105:4629 212.156.196.226:113 L=60 S=0x00 I=40551 F=0x4000 T=59 SYN (#22) Apr 6 23:11:19 gardiyan kernel: Packet log: input DENY eth1 PROTO=6 212.45.64.105:4629 212.156.196.226:113 L=60 S=0x00 I=40585 F=0x4000 T=59 SYN (#22) Apr 6 23:11:25 gardiyan kernel: Packet log: input DENY eth1 PROTO=6 212.45.64.105:4629 212.156.196.226:113 L=60 S=0x00 I=40647 F=0x4000 T=59 SYN (#22) Apr 6 23:11:37 gardiyan kernel: Packet log: input DENY eth1 PROTO=6 212.45.64.105:4629 212.156.196.226:113 L=60 S=0x00 I=40736 F=0x4000 T=59 SYN (#22) Apr 6 23:13:01 gardiyan kernel: Packet log: input DENY eth1 PROTO=6 210.93.217.129:3895 212.156.196.226:111 L=60 S=0x00 I=15280 F=0x4000 T=39 SYN (#38) Apr 6 23:13:04 gardiyan kernel: Packet log: input DENY eth1 PROTO=6 210.93.217.129:3895 212.156.196.226:111 L=60 S=0x00 I=16390 F=0x4000 T=39 SYN (#38) Apr 6 23:30:08 gardiyan kernel: Packet log: input DENY eth1 PROTO=17 212.216.224.236:137 212.156.196.226:137 L=78 S=0x00 I=57407 F=0x0000 T=103 (#38) Apr 6 23:30:10 gardiyan kernel: Packet log: input DENY eth1 PROTO=17 212.216.224.236:137 212.156.196.226:137 L=78 S=0x00 I=57663 F=0x0000 T=103 (#38) Apr 6 23:30:11 gardiyan kernel: Packet log: input DENY eth1 PROTO=17 212.216.224.236:137 212.156.196.226:137 L=78 S=0x00 I=57919 F=0x0000 T=103 (#38) Apr 6 23:30:31 gardiyan kernel: Packet log: input DENY eth1 PROTO=17 212.216.224.236:137 212.156.196.226:137 L=78 S=0x00 I=61247 F=0x0000 T=103 (#38) Apr 6 23:30:32 gardiyan kernel: Packet log: input DENY eth1 PROTO=17 212.216.224.236:137 212.156.196.226:137 L=78 S=0x00 I=61503 F=0x0000 T=103 (#38) Apr 6 23:30:34 gardiyan kernel: Packet log: input DENY eth1 PROTO=17 212.216.224.236:137 212.156.196.226:137 L=78 S=0x00 I=61759 F=0x0000 T=103 (#38) Apr 6 23:41:54 gardiyan kernel: Packet log: input DENY eth1 PROTO=6 211.92.50.170:21 212.156.196.226:21 L=40 S=0x00 I=39426 F=0x0000 T=13 SYN (#38) Apr 7 00:15:16 gardiyan kernel: Packet log: input DENY eth1 PROTO=6 193.140.140.104:46409 212.156.196.226:113 L=60 S=0x00 I=0 F=0x4000 T=59 SYN (#22) Apr 7 00:15:25 gardiyan last message repeated 2 times Apr 7 00:17:17 gardiyan kernel: Packet log: input DENY eth1 PROTO=6 193.140.140.104:46413 212.156.196.226:113 L=60 S=0x00 I=0 F=0x4000 T=59 SYN (#22) Apr 7 00:17:25 gardiyan last message repeated 2 times Apr 7 00:18:47 gardiyan kernel: Packet log: input DENY eth1 PROTO=6 193.140.140.104:46422 212.156.196.226:113 L=60 S=0x00 I=0 F=0x4000 T=59 SYN (#22) Apr 7 00:18:56 gardiyan last message repeated 2 times Apr 7 00:26:16 gardiyan kernel: Packet log: input DENY eth1 PROTO=6 212.45.64.105:1085 212.156.196.226:113 L=60 S=0x00 I=17580 F=0x4000 T=58 SYN (#22) Apr 7 00:26:19 gardiyan kernel: Packet log: input DENY eth1 PROTO=6 212.45.64.105:1085 212.156.196.226:113 L=60 S=0x00 I=17612 F=0x4000 T=58 SYN (#22) Apr 7 00:26:25 gardiyan kernel: Packet log: input DENY eth1 PROTO=6 212.45.64.105:1085 212.156.196.226:113 L=60 S=0x00 I=17679 F=0x4000 T=58 SYN (#22) Apr 7 00:26:37 gardiyan kernel: Packet log: input DENY eth1 PROTO=6 212.45.64.105:1085 212.156.196.226:113 L=60 S=0x00 I=17755 F=0x4000 T=58 SYN (#22) -- Togan Muftuoglu
On Sat, 7 Apr 2001, Togan Muftuoglu wrote:
Hi everyone,
Since the 6th of april I am getting quite a lot of scans to port 113 from various ports 4331 4629 46409 46413 46422 and 1085 . I was able to find 1085 which is webobjects but the others I could not find any info. Can some one guide me what are these for or are they trojan ports Source ports are mostly meaningless, especially if they're above 1024, since any user can allocate them. To identify destination ports, your system has an excellent reference in /etc/services and /etc/protocols
Protocol 6 is TCP, and port 113 for TCP is the ident service. This is an absolutely normal service, and many standard services routinely issue an ident request before allowing service to their clients. Look at the IP address of the source. Is it by any chance your ISP's DNS? or SMTP relay? Many people choose not to run an ident service, so most ISPs don't actually require that you reply to their requests. You may find, however, that if you also block outgoing ICMP 'port not available' messages, that your DNS or mail transmissions will suffer a delay while the server waits for a response to the ident request. If you don't like the (sometimes 30 second) delay, then politely tell them that you won't respond with an ICMP 'port not available'. -- Rick Green "I have the heart of a little child, and the brain of a genius. ... and I keep them in a jar under my bed"
participants (2)
-
Rick Green -
Togan Muftuoglu