Re: [SECURITY] [DSA 045-1] ntp remote root exploit fixed
53 is DNS. I get a lot of "probes" because I don't allow TCP connections
(it's a UDP protocol, although TCP is used for zone xfers which I don't
allow). Unless the same IP is hitting your port 53 repeatedly, it's
probably nothing to worry about.
To keep from being vulnerable to nasties such as the Lion worm, make sure
to upgrade your BIND to a version later than 8.2.2 (ie, 8.2.3 (non-beta)
111 is the SunRPC. Be sure that's blocked, although not all attempts at
that port are "scans" (unless, of course, it's hammering away or hitting an
entire block of addresses).
137 is NetBIOS and I write that off to someone using a PC (I see this on my
webserver all the time). Nothing to worry about.
The above is my personal opinion. YMMV.
At 01:31 PM 4/5/2001 -0500, Lindsey Simon wrote:
I've been wondering why I get so many probes on port 53, what's the
popular exploit on it?
JonesMB in message Re: [SECURITY] [DSA 045-1] ntp remote root exploit
fixed (Thu, 04/05 12:40):
> >>I guess we should expect a whole lot of attempts to connect to the ports
> >>used by NTP once the script kiddies figure this one out.
> >>I probably average about 20 connect attempts to ports 53 and 111
> >port 137 has also a good average.
> oh yeah, I forgot about that one, along with 27374.
> To UNSUBSCRIBE, email to firstname.lastname@example.org
> with a subject of "unsubscribe". Trouble? Contact
To UNSUBSCRIBE, email to email@example.com
with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org
Eric N. Valor
- This Space Intentionally Left Blank -