[Scottish] The yellow peril?

Neil McKillop scottish at mailman.lug.org.uk
Thu Jul 24 14:51:00 2003

On Thu, 2003-07-24 at 12:46, Colin Fraser wrote:
> Hi,
> Just found the following in /var/log/messages:
> Jul 24 13:23:44 elgin kernel: SuSE-FW-DROP-DEFAULT IN=ippp1 OUT= MAC= 
> SRC= DST= LEN=288 TOS=0x00 PREC=0x00 TTL=114 
> ID=28413 PROTO=UDP SPT=4288 DPT=135 LEN=268
> A whois shows that the source IP is registered to someone in the People's 
> Republic of China. Before I go off half-cocked on this one, Has anyone any 
> idea what it might be about? I've done a google and spotted a virus alert  
> about HLLP.4288 but can't find a description, other than that it affects .COM 
> and .EXE (another good reason for avoiding microdog!).
> Of course, our friend in China might be a victim (if he's got the virus and 
> it's trying to contact other instances through the net).
> Anyone got any idea of what's going on or suggestions on my next step?
> Cheers,
> Colin
I wouldn't worry about this Colin, my home system gets hundreds of these
a day, from about 30-50 different IPs.  Best guess: port 135 is one of
the ports that some script kiddie is checking for vulnerabilities. 
Since this is showing up in your logs as a dropped packet, you've
nothing to worry about, your firewall is doing its job.

Regarding a next step, I wouldn't bother doing anything unless you're
having regular or multiple problems from this address - it's generally a
waste of time.
I don't expect you'll see this IP again, most script kiddies obtain
lists of the IPs allocated to residential broadband subscribers and
concentrating on scanning these home machines, subnet by subnet.

As you said, it is possible that this IP is a victim, who is being used
to scan for additional vulnerable hosts however, I wouldn't bother
trying to help here either - 'cause I'm just lazy and a cynic.  You'll
have to contact the ISP, voice your suspicions and ask them to get in
touch with their subscriber.  Forgoing any communication problems you
might have with a Chinese ISP, they might opt to do absolutely nothing,
and if you choose to do this for all the incoming scans you receive it
will eat into quite a bit of your time.


FYI, from iss.net:

Port 135 loc-srv/epmap

Microsoft DCE Locator service aka. end-point mapper.  It works like Sun
RPC portmapper, except that end-points can also be named pipes. 
Microsoft relies upon DCE RPC to remotely manage services.  Some
services that use port 135 of end-point mapping are:
- DHCP server
- DNS server
- WINS server