Hi Folks, I have just checked my firewall log and found it packed full of Port 135 probes. It looks like they have been occurring two or three times per second from a wide variety of IP Addresses throughout all today. Have any other ALUGers been getting inundated with these probes as well? Ian.
On Sunday, August 24, 2003 10:57 PM, Paul wrote:
From around 400-500 per day, I've seen a steady increase this month - With an explosion in the last five days. Currently up around 12,000 hits, with the majority appearing to be NTL IP addresses.
Phew, that's a relief! Although knowing it was probably unlikely I was starting to think it was just me who had been singled out for this probe storm and was starting to develop a persecution complex. Ian.
Ian Douglas wrote:
Hi Folks,
I have just checked my firewall log and found it packed full of Port 135 probes. It looks like they have been occurring two or three times per second from a wide variety of IP Addresses throughout all today. Have any other ALUGers been getting inundated with these probes as well?
Ian.
fw root # grep -c DPT=445 /var/log/firewall 117199 fw root # grep -c DPT=135 /var/log/firewall 65082 I think it's the Blaster worm. Cheers, Laurie. -- -------------------------------------------------------------------- Laurie Brown laurie@brownowl.com --------------------------------------------------------------------
On Monday, August 25, 2003, at 08:40 am, Ian Douglas wrote:
On Sunday, August 24, 2003 11:34 PM, Laurie Brown wrote:
fw root # grep -c DPT=445 /var/log/firewall 117199 fw root # grep -c DPT=135 /var/log/firewall 65082
I think it's the Blaster worm.
Aha! That explains it. Thanks for putting my mind at rest!
Yep, this is one of a number of worms out there at the moment exploiting a bug in the MS RPC daemon. The really bizarre thing is that the Natchi worm, which seems to be the latest one to come out actually tries to clean up after the old ones, then tries to fix the exploit, and then commits suicide (although not until 2004). Benevolent worms. Whatever next. Doesn't stop them being illegal, or chewing through bandwidth like it's going out of fashion, but there we go... Paul -- Paul Russell work@paulrussell.org
On Sun, 24 Aug 2003, Laurie Brown wrote:
fw root # grep -c DPT=445 /var/log/firewall 117199 fw root # grep -c DPT=135 /var/log/firewall 65082
Hi, How did you configure your syslogd to write all the firewall messages to a separate file. I've been trying to work it out all day. I can make it write to /var/log/kernel/warnings along with all the other kernel messages. Many Thanks Chris -- Chris *************************************************************************** E Mail Chris@glovercc.clara.co.uk WWW http://www.glovercc.clara.co.uk Someday, we'll look back on this, laugh nervously and change the subject. -Anon
participants (5)
-
Chris Glover -
Ian Douglas -
Laurie Brown -
Paul -
Paul Russell