I installed a firewall with logging implemented tonight. When I did a cursory check of the logs, I saw an IP that looked very similar to my own Linode IP, and when I did a whois, it resolved to HE. I'll not post the IP.

The IP in question was trying to connect via port 135, which is related to epmap services (I'll look that up later).

I'm wondering if this is regular activity. Since I don't normally scrutinize traffic from/to my Linode beyond periodical tcpdumps, I'm a bit aloof here.

Interesting. Port 135 is also associated with a Windows DCOM RPC exploit. The Blaster worm is an example of something that took advantage of it. Odd that you'd be seeing probes from a linode on that port.

_________________
----
Ed/Bones.

Yeah, I also thought this. Below is what I saw (but I'll X out my IP):

Feb 21 23:42:58 starchild kernel: Connection attempt (PRIV): IN=eth0 OUT= MAC=fe:fd:42:a0:8d:1e:00:b0:4a:6c:76:53:08:00 SRC=66.160.179.133 DST=XX.XXX.XXX.XX LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=9883 DF PROTO=TCP SPT=1841 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0

Resolves to:

66.160.179.133

Blacklist Status: Clear
Record Type: IP Address
IP Location: United States - California - San Jose - Cooplabs Inc
Reverse IP: No websites hosted using this IP address
Reverse DNS: cust-66-160-179-133.static.pcwi.net


--------------------------------------------------------------------------------
Hurricane Electric HURRICANE-7 (NET-66-160-128-0-1)
66.160.128.0 - 66.160.207.255
Cooplabs Inc HURRICANE-CE1505-491 (NET-66-160-179-0-1)
66.160.179.0 - 66.160.179.255

I'm wondering if this is a non-Linode HE device.

Cooplabs is an ISP based in San Jose, where HE has a large facility. The RDNS points to Pacific Coast Wireless Internet, whose coverage area is just south-east of San Jose. HE probably supply connectivity to these people.

_________________
/ Peter

Feb 22 22:00:20 starchild kernel: Blocked hosts violation: IN=eth0 OUT= MAC=fe:fd:42:a0:8d:1e:00:b0:4a:6c:76:53:08:00 SRC=66.160.179.133 DST=XX.XXX.XXX.XX LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=56908 DF PROTO=TCP SPT=4033 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0

Seening port 445 traffic now. Of course, I blocked the IP not long ago.

pclissold, thanks for pointing out that this isn't some host at the HE facility.