[ILUG] Attack or annoyance ?
Niall O Broin
niall at magicgoeshere.com
Tue May 23 01:11:57 IST 2000
I'm a little anxious here. I've just noticed that portmap is regularly
rejecting requests (with request from unauthorized host) from two particular
hosts on the same subnet as the box in question. The entries in
/var/log/messages are like this
Apr 23 05:09:41 penguin portmap[22420]: connect from w.x.y.z to \
callit(390109): request from unauthorized host
and there was one entry like so
Apr 26 06:40:36 penguin portmap[4761]: connect from 38.203.172.170 to \
dump(): request from unauthorized host
The dump was a bit cheeky :-) but the little script kiddie got sent on his
way. Also, the regular requests from the two local boxes are also sent on
their way, but I'm wondering what they are. On the basis that you should
never ascribe to malice that which be explained by stupidity, I'm assuming
that this is simply caused by my machine picking up broadcasts, because
AFAIK that's what callit is for. However, I've no idea what program 390109
is and RFC1010 is no help - but perhaps that's not the right place to look,
because I can't find other programs there (e.g. 150001 which is pcnfsd).
So, what is 390109 and should I worry about this ? Queso's not much help
with identifying the boxes - it says that one is a Dead Host, Firewalled
Port or Unassigned IP although it responds to pings and it says that the
other is Cisco 11.2(10a), HP/3000 DTC, BayStack Switch yet if I ftp to it I
get a 220 jupiter Microsoft FTP Service (Version 4.0) banner.
Regards,
Niall
More information about the ILUG
mailing list