[Scottish] The yellow peril?

Neil McKillop scottish at mailman.lug.org.uk
Fri Jul 25 10:40:01 2003

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Thu, 2003-07-24 at 12:46, Colin Fraser wrote:
> Hi,
> Just found the following in /var/log/messages:
> Jul 24 13:23:44 elgin kernel: SuSE-FW-DROP-DEFAULT IN=3Dippp1 OUT=3D MAC=
> SRC=3D62.134.72.190 DST=3D213.122.60.116 LEN=3D288 TOS=3D0x00 PREC=3D0x00=
> ID=3D28413 PROTO=3DUDP SPT=3D4288 DPT=3D135 LEN=3D268
> Anyone got any idea of what's going on or suggestions on my next step?
> Cheers,
> Colin

I wouldn't worry about this Colin, my home system gets hundreds of these
a day, from about 30-50 different IPs.  Best guess: port 135 is one of
the ports that some script kiddie is checking for vulnerabilities.=20
Since this is showing up in your logs as a dropped packet, you've
nothing to worry about, your firewall is doing its job.

Regarding a next step, I wouldn't bother doing anything unless you're
having regular or multiple problems from this address - it's generally a
waste of time.
I don't expect you'll see this IP again, most script kiddies obtain
lists of the IPs allocated to residential broadband subscribers and
concentrating on scanning these home machines, subnet by subnet.

As you said, it is possible that this IP is a victim, who is being used
to scan for additional vulnerable hosts however, I wouldn't bother
trying to help here either - 'cause I'm just lazy and a cynic.  You'll
have to contact the ISP, voice your suspicions and ask them to get in
touch with their subscriber.  Forgoing any communication problems you
might have with a Chinese ISP, they might opt to do absolutely nothing,
and if you choose to do this for all the incoming scans you receive it
will eat into quite a bit of your time.


FYI, from iss.net:

Port 135 loc-srv/epmap

Microsoft DCE Locator service aka. end-point mapper.  It works like Sun
RPC portmapper, except that end-points can also be named pipes.=20
Microsoft relies upon DCE RPC to remotely manage services.  Some
services that use port 135 of end-point mapping are:
- DHCP server
- DNS server
- WINS server

Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

Version: GnuPG v1.2.2 (GNU/Linux)