[Scottish] The yellow peril?

Colin Fraser scottish at mailman.lug.org.uk
Thu Jul 24 15:30:00 2003

Thanks Neil, and Paul.

Much as I expected, 'tho it's interesting the number of scans I'm getting from 
Eastern Europe as well (I might follow up the one from Lerwick, just out of 

Nice to see the firewall seems to be working!

By the way, does anyone know any analysis tools I might use to analyse 
/var/log/messages to see what's going on? It's a pain trying to check the 
services and protocol files each time to work it out.

Cheers all,

On Thursday 24 July 2003 2:38 pm, Neil McKillop wrote:
> On Thu, 2003-07-24 at 12:46, Colin Fraser wrote:
> > Hi,
> >
> > Just found the following in /var/log/messages:
> >
> > Jul 24 13:23:44 elgin kernel: SuSE-FW-DROP-DEFAULT IN=ippp1 OUT= MAC=
> > SRC= DST= LEN=288 TOS=0x00 PREC=0x00 TTL=114
> > ID=28413 PROTO=UDP SPT=4288 DPT=135 LEN=268
> *SNIP*
> > A whois shows that the source IP is registered to someone in the People's
> > Republic of China. Before I go off half-cocked on this one, Has anyone
> > any idea what it might be about? I've done a google and spotted a virus
> > alert about HLLP.4288 but can't find a description, other than that it
> > affects .COM and .EXE (another good reason for avoiding microdog!).
> >
> > Of course, our friend in China might be a victim (if he's got the virus
> > and it's trying to contact other instances through the net).
> >
> > Anyone got any idea of what's going on or suggestions on my next step?
> >
> > Cheers,
> >
> > Colin
> I wouldn't worry about this Colin, my home system gets hundreds of these
> a day, from about 30-50 different IPs.  Best guess: port 135 is one of
> the ports that some script kiddie is checking for vulnerabilities.
> Since this is showing up in your logs as a dropped packet, you've
> nothing to worry about, your firewall is doing its job.
> Regarding a next step, I wouldn't bother doing anything unless you're
> having regular or multiple problems from this address - it's generally a
> waste of time.
> I don't expect you'll see this IP again, most script kiddies obtain
> lists of the IPs allocated to residential broadband subscribers and
> concentrating on scanning these home machines, subnet by subnet.
> As you said, it is possible that this IP is a victim, who is being used
> to scan for additional vulnerable hosts however, I wouldn't bother
> trying to help here either - 'cause I'm just lazy and a cynic.  You'll
> have to contact the ISP, voice your suspicions and ask them to get in
> touch with their subscriber.  Forgoing any communication problems you
> might have with a Chinese ISP, they might opt to do absolutely nothing,
> and if you choose to do this for all the incoming scans you receive it
> will eat into quite a bit of your time.
> Neil.
> FYI, from iss.net:
> Port 135 loc-srv/epmap
> Microsoft DCE Locator service aka. end-point mapper.  It works like Sun
> RPC portmapper, except that end-points can also be named pipes.
> Microsoft relies upon DCE RPC to remotely manage services.  Some
> services that use port 135 of end-point mapping are:
> - DHCP server
> - DNS server
> - WINS server
> _______________________________________________
> Scottish mailing list
> Scottish@mailman.lug.org.uk
> http://mailman.lug.org.uk/mailman/listinfo/scottish


NairnFusion Ltd. 

This message is confidential. If you are not the intended recipient,
please do not read, copy, use or disclose it to anyone else. Notify the
sender of the delivery error by replying to this message and then delete
it from your system. Unauthorised use or disclosure of this message is
strictly prohibited and may be unlawful.