Re: OT: port scan
Lo, on Tuesday, November 28, Damian Menscher did write:
> On Tue, 28 Nov 2000, Pollywog wrote:
> > On Tue, 28 Nov 2000 14:40:09 -0200 (EDT), Mario Olimpio de Menezes said:
> >
> > > One computer where I have Debian installed was scanned
> > > recently. Someone probed several ports (~20), maybe trying to determine
> > > the running OS (something like nmap does).
> > > Do you think this *IS* an attack? I mean, should I report this
> > > as *AN* attack?
> >
> > If someone scans several ports, I usually do report it to their ISP,
> > sending them log excerpts that include the time they occurred and also my
> > time zone as reported by my computer. The ISP would probably warn the
> > customer and even terminate the customer's account if they believe the
> > customer was up to no good.
> >
> > I usually do not report attempts to connect to single ports.
>
> You might want to keep in mind that scans of all ports are often just
> general curiosity about what kind of stuff a computer is being used for,
> while scans of a single port (on every machine in your subnet) is often
> someone looking for a machine vulnerable to a *particular* exploit. So
> I'd say don't ignore the single-port scans. They are as (or more)
> serious.
Well, they can be. Connections to TCP ports 137, 138, and 139 are part of
Windows file- and printer-sharing. I don't know all that much about how
SMB works, but I'm fairly sure there are broadcasts to these ports
involved, primarily in setting up the Network Neighborhood.
So, if you happen to be on a network (like, say, a cable modem local loop)
with some Windows PCs that have file/print sharing turned on, these may not
represent a security problem. (Well, for *you*, anyway.)
Richard
Reply to: