port 135 scans

I'm seeing a rash of behavior and want to see what you guys think.

I'm seeing a number of hits where the scanner first hits port 25 once then
135 repeatedly. Some times they hit port 80 first, and some times they
follow up on 443 after 135.

Any ideas why? I've never seen this particular pattern before. And I don't
(and haven't) ran any service in the past on 135.

Thanks!

|I'm seeing a number of hits where the scanner first hits port 25 once then
|135 repeatedly. Some times they hit port 80 first, and some times they
|follow up on 443 after 135.
|
|Any ideas why? I've never seen this particular pattern before. And I don't
|(and haven't) ran any service in the past on 135.

Sure it's the same source IP for all those probes? 135, 443 and 80 are
generally due to viruses. 25 is less often seen, could be a virus or an
open relay scan.
--

> Sure it's the same source IP for all those probes? 135, 443 and 80 are
> generally due to viruses. 25 is less often seen, could be a virus or an
> open relay scan.

Yes, same IP.

The only reason I'm seeing it is my firewall sends two types of email
reports to me. One report is when the first time that IP accesses my
system(s) it steps on a blocked port. I know automatically I can ignore
that report, the firewall has correctly blocked (and will continue to block)
that intruder.

The second report is when the first time the IP shows up it is on valid
ports, then for some reason it steps on a bad port. I don't ignore this
report. Some times the initial traffic is from my systems to that IP, then
later that IP sends something bogus to me. Some times it's as this case,
that IP accesses a valid port on my side first (and just once), then steps
on 135 and gets blocked from that point forward.

> Sure it's the same source IP for all those probes? 135, 443 and 80 are
> generally due to viruses. 25 is less often seen, could be a virus or an
> open relay scan.

Yes, same IP.

The only reason I'm seeing it is my firewall sends two types of email
reports to me. One report is when the first time that IP accesses my
system(s) it steps on a blocked port. I know automatically I can ignore
that report, the firewall has correctly blocked (and will continue to block)
that intruder.

The second report is when the first time the IP shows up it is on valid
ports, then for some reason it steps on a bad port. I don't ignore this
report. Some times the initial traffic is from my systems to that IP, then
later that IP sends something bogus to me. Some times it's as this case,
that IP accesses a valid port on my side first (and just once), then steps
on 135 and gets blocked from that point forward.

no body wrote:

> Yes, same IP.

I would give whois a try - there is usually an abuse-address ... At least in
my country the companies usually really care about these reports ...

--
Robert Jirik
[mailto:robert(at)aristoteles(dot)xhaven(dot)net]
public PGP key: http://xhaven.net/robert/pgp_key.asc
-
"The beauty of religious mania is that it has the power
to explain everything. Once God (or Satan) is accepted
as the first cause of everything which happens in the mortal world,
nothing is left to chance ...
logic can be happily tossed out the window"
-- Stephen King

Dnia Wed, 23 Jul 2003 03:24:24 GMT, no body napisa³(a):
> I'm seeing a rash of behavior and want to see what you guys think.
It's because of this: http://www.cert.org/advisories/CA-2003-16.html

--
[ Wojtek Walczak - gminick (at) underground.org.pl ]
[ <http://gminick.linuxsecurity.pl/> ]
[ "...rozmaite zwroty, matowe od patyny dawnosci." ]