(2) Port 98 scans

[Mike Lewinski <mike () ROCKYNET COM>]

Snort picked up a scan on port 98 across our company's netblock, which I
remembered was Linuxconf from a thread here recently. I notified the ARIN
contact for the netblock, but my mail bounced. In such situations I always
take care that I'm not sending a message to a possibly compromised host (in
this case it was a registered nameserver so I was doubly careful).

Now the odd part is that the very same host hit my home IP address on the
same port just an hour after I sent my first report. I'm using a very
different provider on a different IP scheme, so it's hard to believe this
was coincidence. I looked at the headers of the original bounce and it made
it to the right place, but was returned due to an internal loop.

I'm really wondering if I tipped off the intruders somehow and they saw my
home IP in the header of the message I sent, but I really don't see how. I
did follow-up with UUnet security, and haven't yet gotten a bounce back from
postmaster@[ip-of-broken-MTA] when I forwarded to that addy...

Mike