Can of Worms
Hi
I'm not an ISP but I keep getting this kind of activity on my modem:
+--------------------------+
omni:~# tcpdump -i ppp0 | grep unreachable
tcpdump: listening on ppp0
07:48:29.447038 211.26.118.133 > 211.26.122.178: icmp: 211.26.118.133
tcp port 135 unreachable [tos 0xc0]
07:48:29.459207 211.26.118.133 > 211.26.122.178: icmp: 211.26.118.133
tcp port 1025 unreachable [tos 0xc0]
07:48:29.479183 211.26.118.133 > 211.26.122.178: icmp: 211.26.118.133
tcp port 445 unreachable [tos 0xc0]
07:48:32.669674 211.26.118.133 > 211.26.122.178: icmp: 211.26.118.133
tcp port 445 unreachable [tos 0xc0]
07:48:32.687687 211.26.118.133 > 211.26.122.178: icmp: 211.26.118.133
tcp port 1025 unreachable [tos 0xc0]
07:48:32.709139 211.26.118.133 > 211.26.122.178: icmp: 211.26.118.133
tcp port 135 unreachable [tos 0xc0]
07:48:38.469164 211.26.118.133 > 211.26.122.178: icmp: 211.26.118.133
tcp port 445 unreachable [tos 0xc0]
07:48:38.499919 211.26.118.133 > 211.26.122.178: icmp: 211.26.118.133
tcp port 1025 unreachable [tos 0xc0]
07:48:38.500154 211.26.118.133 > 211.26.122.178: icmp: 211.26.118.133
tcp port 135 unreachable [tos 0xc0]
+--------------------------+
Omni is my Debian (Woody2.2.20 ipchains TrinityOS firewall) gateway for
my natted LAN.
I realise I can save bandwidth by ignoring incoming requests, but there
aren't that many and it's a convenient method of watching worm
activity, mostly I add from within my own dialup pool.
Was curious as to the lists thoughts on some method of email
notification back to the ip doing the worm like port scanning?
I assume that the compromised machine's owner is basically clueless as
to what is going on. All well and true some tool like AntiVir could be
utilized and another user brought a bit more upto lightspeed...
Ross
Reply to: