[TriLUG] are these port scanners?
Joseph Mack NA3T
jmack at wm7d.net
Sun May 13 10:31:43 EDT 2012
Now that I've written my own firewall rules, I LOG all
dropped packets and looking at them to see if there's
anything interesting. I'm being overwhelmed by dropped
packets and there's not much hope of me seeing anything I
should take notice of (like a persistent machine attempting
to penetrate). I'm getting packets like these from a high
port to a high port about every 2 secs.
May 13 14:19:21 routera kernel: firewall logdrop: IN=eth2 OUT= MAC=00:a0:24:5e:0b:7d:00:90:1a:41:1b:55:08:00 SRC=190.135.50.221 DST=50.55.129.200 LEN=58 TOS=0x00 PREC=0x00 TTL=49 ID=23 PROTO=UDP SPT=39114 DPT=47518 LEN=38
Most often the SRC host doesn't resolve to a hostname. This
packet above, from Uraguay, does.
root at routera:/var/log# host 190.135.50.221
221.50.135.190.in-addr.arpa domain name pointer r190-135-50-221.dialup.adsl.anteldata.net.uy.
As these machines just scanning all my high ports? Why? Just
to see if they get a reply?
Joe
--
Joseph Mack NA3T EME(B,D), FM05lw North Carolina
jmack (at) wm7d (dot) net - azimuthal equidistant map
generator at http://www.wm7d.net/azproj.shtml
Homepage http://www.austintek.com/ It's GNU/Linux!
More information about the TriLUG
mailing list