[Scottish] The yellow peril?
Colin Fraser
scottish at mailman.lug.org.uk
Thu Jul 24 13:54:02 2003
Hi,
Just found the following in /var/log/messages:
Jul 24 13:23:44 elgin kernel: SuSE-FW-DROP-DEFAULT IN=ippp1 OUT= MAC=
SRC=62.134.72.190 DST=213.122.60.116 LEN=288 TOS=0x00 PREC=0x00 TTL=114
ID=28413 PROTO=UDP SPT=4288 DPT=135 LEN=268
Jul 24 13:23:45 elgin kernel: SuSE-FW-DROP-DEFAULT IN=ippp1 OUT= MAC=
SRC=62.134.72.190 DST=213.122.60.116 LEN=108 TOS=0x00 PREC=0x00 TTL=114
ID=28699 PROTO=UDP SPT=4288 DPT=135 LEN=88
Jul 24 13:23:46 elgin kernel: SuSE-FW-DROP-DEFAULT IN=ippp1 OUT= MAC=
SRC=62.134.72.190 DST=213.122.60.116 LEN=108 TOS=0x00 PREC=0x00 TTL=114
ID=29034 PROTO=UDP SPT=4288 DPT=135 LEN=88
Jul 24 13:23:48 elgin kernel: SuSE-FW-DROP-DEFAULT IN=ippp1 OUT= MAC=
SRC=62.134.72.190 DST=213.122.60.116 LEN=108 TOS=0x00 PREC=0x00 TTL=114
ID=29679 PROTO=UDP SPT=4288 DPT=135 LEN=88
Jul 24 13:23:52 elgin kernel: SuSE-FW-DROP-DEFAULT IN=ippp1 OUT= MAC=
SRC=62.134.72.190 DST=213.122.60.116 LEN=108 TOS=0x00 PREC=0x00 TTL=114
ID=31031 PROTO=UDP SPT=4288 DPT=135 LEN=88
Jul 24 13:24:00 elgin kernel: SuSE-FW-DROP-DEFAULT IN=ippp1 OUT= MAC=
SRC=62.134.72.190 DST=213.122.60.116 LEN=108 TOS=0x00 PREC=0x00 TTL=114
ID=33632 PROTO=UDP SPT=4288 DPT=135 LEN=88
Jul 24 13:24:16 elgin kernel: SuSE-FW-DROP-DEFAULT IN=ippp1 OUT= MAC=
SRC=62.134.72.190 DST=213.122.60.116 LEN=116 TOS=0x00 PREC=0x00 TTL=114
ID=38734 PROTO=UDP SPT=4288 DPT=135 LEN=96
A whois shows that the source IP is registered to someone in the People's
Republic of China. Before I go off half-cocked on this one, Has anyone any
idea what it might be about? I've done a google and spotted a virus alert
about HLLP.4288 but can't find a description, other than that it affects .COM
and .EXE (another good reason for avoiding microdog!).
Of course, our friend in China might be a victim (if he's got the virus and
it's trying to contact other instances through the net).
Anyone got any idea of what's going on or suggestions on my next step?
Cheers,
Colin