Re: two port scans

[Robert Collins <robert.collins () ITDOMAIN COM AU>]

Thanks for the feedback from the list...

I used the networksolutions whois... I'll dig around for whois on win32
:-]

All my boxes were fine - the logs showed no traffic allowed through the
firewall from those sites. I'm about to mail the neverending admin
contact.

Thanks again,
Rob

> -----Original Message-----
> From: martin j. muench [mailto:muench () GMC-ONLINE DE]
> Sent: Thursday, 31 August 2000 7:41 AM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Re: two port scans
>
>
> > I've seen two port scans this week.
> > 208.5.42.164 scanning port 137
> > 202.30.115.58 scanning port 109
> >
> > Both scanned my /25 net end to end
> >
> > I couldn't get anything useful from whois.
>
> 208.5.42.164 = host3.neverending.com, looks like a small
> insecure server, which is probably rooted and now used
> for scanning. The other one is down.
>
> > Anyone else seen these boxen scanning
>
> no, there are too many hosts scanning for several ports.
>
> > ...know of recent toolkits or breakages they migh tbe scanning
> > for?
> the second one which scans for port 109 tries to find some
> servers running the pop2 daemon, which is vunerable. it is
> default enabled on several older linux distributions like
> for example redhat 5.2.
> the first one scans for Netbios Name Service, which is also
> vunerable afaik.
>
> You should check your servers for running pop2-daemons and
> disable or upgrade them!
>
>
> Martin J. Muench <muench () gmc-online de>