Re: Probs on port 3123

[chort <chort () amaunetsgothique com>]

Learn to ignore it.  I've had several broadband providers and I always
make sure to keep my logview running when my workstation is on (one of
these days I'll import the MIBs to my Linux box so I'll have real
logging).

Any way, the point is I get never-ending streams of attempted IIS
exploits, SQL exploits, etc. As long as the firewall is dropping the
connection you have nothing to worry about.

The stuff you *do* have to worry about is unexplained traffic to ports
you are running services on.  Snort is considered to be a pretty good
free NIDS that you could deploy if you're concerned about watching your
services.

-- 
-chort

On Fri, 13 Jun 2003, Dominick.S wrote:

> Hi Again:
>
> Sorry for over-reacting yesterday, 
> this is an email I received this morning, from the host I contacted
> yesterday.
> ----------------------------------------------------------------------------
> -----------
>
> Hello,
>
> The log you sent showed connections between port 3123 and port 2650 on
> 66.135.130.125. 
> Port 2650 on 66.135.130.125 is a KaZaA supernode:
>
> # telnet 66.135.130.125 2650
> Trying 66.135.130.125...
> Connected to 66.135.130.125.
> Escape character is '^]'.
> GET /
> HTTP/1.0 501 Not Implemented
> X-Kazaa-Username: TimX44
> X-Kazaa-Network: KaZaA
> X-Kazaa-IP: 66.135.130.125:2650
>
> Connection closed by foreign host.
> #
>
> You might want to check, as chances are you are infact running KaZaA without
> your knowledge and it's simply talking to a supernode.
>
> We will not be investigating this further.
>
> ----------------------------------------------------------------------------
> -------------
> Hmm.. 
>
> Ok, I have my home network, none of the PC's run kazaa (im 100% sure)
> None of my PC's are listening on port 3123.
> I was just assigned a new IP address from my cable company few days ago.
> Im thinking maybe this IP was running kazaa or whatever in the past or a
> supernode..
>
> We see him telnet in to the "IP" that's probing me, and its something to do
> with kazaa,
> But what does that have to do with that IP probing me on port 3123 every few
> minutes...
>
> As you can see im still being probed from all angles.
>
> 2003-06-13 09:08:51 
> Dropping ICMP error message. 
> Original UDP from 81.57.64.78:3870 to my.ip.addy:3123 192.168.1.2
> 81.57.64.78 3/ICMP  
> 2003-06-13 08:47:02 
> Dropping ICMP error message. 
> Original UDP from 24.150.92.85:1467 to my.ip.addy:3123 192.168.1.2
> 24.150.92.85 3/ICMP  
> 2003-06-13 08:30:32 
> Dropping ICMP error message. 
> Original UDP from 81.57.64.78:3870 to my.ip.addy:3123 192.168.1.2
> 81.57.64.78 3/ICMP  
> 2003-06-13 08:04:32 
> Dropping ICMP error message. 
> Original UDP from 81.224.51.188:2730 to my.ip.addy:3123 192.168.1.2
> 81.224.51.188 3/ICMP  
> 2003-06-13 07:39:30 
> Dropping ICMP error message. 
> Original UDP from 213.113.9.85:3125 to my.ip.addy:3123 192.168.1.2
> 213.113.9.85 3/ICMP  
> 2003-06-13 07:25:13 
> Dropping ICMP error message. 
> Original UDP from 81.57.64.78:3870 to my.ip.addy:3123 192.168.1.2
> 81.57.64.78 3/ICMP  
> 2003-06-13 07:03:44 
> Dropping ICMP error message. 
> Original UDP from 213.113.9.85:3125 to my.ip.addy:3123 192.168.1.2
> 213.113.9.85 3/ICMP  
> 2003-06-13 06:20:25 
> Dropping ICMP error message. 
> Original UDP from 213.113.9.85:3125 to my.ip.addy:3123 192.168.1.2
> 213.113.9.85 3/ICMP  
> 2003-06-13 05:25:41 
> Dropping ICMP error message. 
> Original UDP from 141.161.140.75:2687 to my.ip.addy:3123 192.168.1.2
> 141.161.140.75 3/ICMP  
> 2003-06-13 04:56:01 
> Dropping ICMP error message. 
> Original UDP from 212.118.86.86:1813 to my.ip.addy:3123 192.168.1.2
> 212.118.86.86 3/ICMP  
> 2003-06-13 04:37:52 
> Dropping ICMP error message. 
> Original UDP from 24.163.60.116:3446 to my.ip.addy:3123 192.168.1.2
> 24.163.60.116 3/ICMP  
> 2003-06-13 04:17:16 
> Dropping ICMP error message. 
> Original UDP from 212.118.86.86:1813 to my.ip.addy:3123 192.168.1.2
> 212.118.86.86 3/ICMP  
> ----------------------------------------------------------------------------
> -----------------
>
> Thanks for the help List!!
>
>
> ---------------------------------------------------------------------------
> Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
> The Gartner Group just put Neoteris in the top of its Magic Quadrant,
> while InStat has confirmed Neoteris as the leader in marketshare.
>
> Find out why, and see how you can get plug-n-play secure remote access in
> about an hour, with no client, server changes, or ongoing maintenance.
>
> Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
> ----------------------------------------------------------------------------


---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
     
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
          
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------