53 is DNS. I get a lot of "probes" because I don't allow TCP connections (it's a UDP protocol, although TCP is used for zone xfers which I don't allow). Unless the same IP is hitting your port 53 repeatedly, it's probably nothing to worry about.
To keep from being vulnerable to nasties such as the Lion worm, make sure to upgrade your BIND to a version later than 8.2.2 (ie, 8.2.3 (non-beta) and above).
111 is the SunRPC. Be sure that's blocked, although not all attempts at that port are "scans" (unless, of course, it's hammering away or hitting an entire block of addresses).
137 is NetBIOS and I write that off to someone using a PC (I see this on my webserver all the time). Nothing to worry about.
The above is my personal opinion. YMMV. At 01:31 PM 4/5/2001 -0500, Lindsey Simon wrote:
I've been wondering why I get so many probes on port 53, what's the popular exploit on it?JonesMB in message Re: [SECURITY] [DSA 045-1] ntp remote root exploit fixed (Thu, 04/05 12:40):> >>I guess we should expect a whole lot of attempts to connect to the ports > >>used by NTP once the script kiddies figure this one out. > >>> >>I probably average about 20 connect attempts to ports 53 and 111 every day.> > > >port 137 has also a good average. > > oh yeah, I forgot about that one, along with 27374. > > jmb > > > -- > To UNSUBSCRIBE, email to debian-security-request@lists.debian.org> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org-- To UNSUBSCRIBE, email to debian-security-request@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
-- Eric N. Valor Webmeister/Inetservices Lutris Technologies eric.valor@lutris.com - This Space Intentionally Left Blank -