|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Newbie: what does this mean?
From: Tyrone Mills (TMills
TOTAL-CARE.COM)Date: Thu Oct 12 2000 - 20:18:18 CDT
- Next message: Chris Jones: "Re: I've been hit with ksyslogd"
- Previous message: Infrastructure Dept.: "Re: I've been hit with ksyslogd"
- Maybe in reply to: < exter >: "Newbie: what does this mean?"
- Next in thread: Jan Muenther: "Re: Newbie: what does this mean?"
- Maybe reply: Tyrone Mills: "Re: Newbie: what does this mean?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Port 139 is Netbios. What you've probably got there is a Windows user with
Netbios enabled over TCP/IP. It could be something worse than that. If
you're running IPChains, simply REJECT the traffic on the INPUT chain
(OUTPUT too if you run any Windows boxen internally) and don't bother
logging it. Most ISP's will restrict communication between clients on the
same subnet, so you'd have to manually enter an ARP record to hit someone on
your subnet. You didn't mention if the connection came from the same subnet
as you or not. If it did, perhaps someone is trying to connect to you (or
your ISP isn't filtering that type of traffic, ask them), if it didn't I'd
tend to say it's harmless noise being broadcast by an incorrectly configured
Windows machine on a Cable Modem and the person on the other end would
probably welcome being informed that they are wide open.
-----Original Message-----
From: < exter > [mailto:exterWANADOO.ES]
Sent: Thursday, October 12, 2000 12:41 PM
To: FOCUS-LINUXSECURITYFOCUS.COM
Subject: Newbie: what does this mean?
I find this in my syslogs every day.
At first I though it was some kind of attempt to intrude in my system.
Oct 12 20:15:33 endymion tcplogd: netbios-ssn connection attempt from
usuario1-NN-NNN-NN.dialup.xxx.es [xx.xxx.xxx.xxx]
I changed the IP and the domain name with NNN and xxx: even potential
transgressors has their rights.
It is a dinamic IP. The attempts where made all from inside of my ISP,
except for one, which could nevertheless have come from a subnet of my ISP.
I scanned the adress and found only the netbios-ssn port 139 open.
I guess that netbios-ssn is a communication port for samba, I also know
that there are a Linux port of the BO client running probably on,
but I have got only one complaint from fakebo, which I scanned and was a
harmless
Win box with lots of open ports.
Do you think somebody (a bot perhaps) took me for a Win box with a BO
client or could it be something more innocent.
__/ F \/ T F |] \__
\ L /\ | L |\ /
- Next message: Chris Jones: "Re: I've been hit with ksyslogd"
- Previous message: Infrastructure Dept.: "Re: I've been hit with ksyslogd"
- Maybe in reply to: < exter >: "Newbie: what does this mean?"
- Next in thread: Jan Muenther: "Re: Newbie: what does this mean?"
- Maybe reply: Tyrone Mills: "Re: Newbie: what does this mean?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]