| Linode Forum https://forum.linode.com/ |
|
| Connection attempts from another Linode? https://forum.linode.com/viewtopic.php?f=19&t=2113 |
Page 1 of 1 |
| Author: | unixfool [ Wed Feb 22, 2006 12:52 am ] |
| Post subject: | Connection attempts from another Linode? |
I installed a firewall with logging implemented tonight. When I did a cursory check of the logs, I saw an IP that looked very similar to my own Linode IP, and when I did a whois, it resolved to HE. I'll not post the IP. The IP in question was trying to connect via port 135, which is related to epmap services (I'll look that up later). I'm wondering if this is regular activity. Since I don't normally scrutinize traffic from/to my Linode beyond periodical tcpdumps, I'm a bit aloof here. |
|
| Author: | NecroBones [ Wed Feb 22, 2006 10:32 am ] |
| Post subject: | |
Interesting. Port 135 is also associated with a Windows DCOM RPC exploit. The Blaster worm is an example of something that took advantage of it. Odd that you'd be seeing probes from a linode on that port. |
|
| Author: | unixfool [ Wed Feb 22, 2006 1:16 pm ] |
| Post subject: | |
Yeah, I also thought this. Below is what I saw (but I'll X out my IP): Feb 21 23:42:58 starchild kernel: Connection attempt (PRIV): IN=eth0 OUT= MAC=fe:fd:42:a0:8d:1e:00:b0:4a:6c:76:53:08:00 SRC=66.160.179.133 DST=XX.XXX.XXX.XX LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=9883 DF PROTO=TCP SPT=1841 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0 Resolves to: 66.160.179.133 Blacklist Status: Clear Record Type: IP Address IP Location: United States - California - San Jose - Cooplabs Inc Reverse IP: No websites hosted using this IP address Reverse DNS: cust-66-160-179-133.static.pcwi.net -------------------------------------------------------------------------------- Hurricane Electric HURRICANE-7 (NET-66-160-128-0-1) 66.160.128.0 - 66.160.207.255 Cooplabs Inc HURRICANE-CE1505-491 (NET-66-160-179-0-1) 66.160.179.0 - 66.160.179.255 I'm wondering if this is a non-Linode HE device. |
|
| Author: | pclissold [ Wed Feb 22, 2006 4:39 pm ] |
| Post subject: | |
Cooplabs is an ISP based in San Jose, where HE has a large facility. The RDNS points to Pacific Coast Wireless Internet, whose coverage area is just south-east of San Jose. HE probably supply connectivity to these people. |
|
| Author: | unixfool [ Wed Feb 22, 2006 11:04 pm ] |
| Post subject: | |
Feb 22 22:00:20 starchild kernel: Blocked hosts violation: IN=eth0 OUT= MAC=fe:fd:42:a0:8d:1e:00:b0:4a:6c:76:53:08:00 SRC=66.160.179.133 DST=XX.XXX.XXX.XX LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=56908 DF PROTO=TCP SPT=4033 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0 Seening port 445 traffic now. Of course, I blocked the IP not long ago. pclissold, thanks for pointing out that this isn't some host at the HE facility. |
|
| Page 1 of 1 | All times are UTC-04:00 |
| Powered by phpBB® Forum Software © phpBB Group http://www.phpbb.com/ |
|