[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Why is ADP port scanning ?
[Redacted]
Answer: it is not.
>This IP address was located in the log files
>140.239.226.141 on Oct 8, 11 and 15th
>Two more trys 10/15/02
> ALARM TYPE: Block
[whois query deleted]
> IP PACKET: TCP [140.239.226.141/33902]-->[64.80.161.170/25] l=0 f=0x2
>
> [wks141.actwin.com/33902]-->[64.80.161.170/smtp]
>
[other instances deleted]
Explanation:
This shows an attempt by the server on 140.239.226.141 to connect to port
25 on the server at 64.80.161.170. A quick query in dig to locate the MX
(Mail eXchanger) records for actwin.com comes back with:
;; ADDITIONAL SECTION:
smtp.actwin.com. 86400 IN A 140.239.226.141
mailhub.actwin.com. 86400 IN A 140.239.226.141
mail.actwin.com. 86400 IN A 140.239.226.141
This indicates that 140.239.226.141 is actwin.com's primary mail server.
64.80.161.170 fails with a `dig -x` query (meaning the IP address can not
be resolved back to a name).
Summary:
What this all means is that the actwin.com mailserver tried to send an
email message to your server via SMTP, which is the Simple Mail Transfer
Protocol (the standard used on the Internet). You and/or petswarehouse
apparently has this machine firewalled so that it denies incoming SMTP
connections from remote mail servers. Presumably someone sent a message
from that machine with IP 64.80.161.170, which means someone either
intentionally sent a message from there, has a misconfigured mail client
that is trying to act as it's own mail server, or has a misconfigured DNS
zone indicating that machine as a primary MX for some domain.
A port scan will normally go through many ports in order and in very rapid
succession. As a systems administrator for an ISP I have a lot of
experience being on the receiving end of such things.
Possible Solutions:
I suggest checking your DNS *server* configuration and possibly the mail
client you are using on the machine in question. There is certainly some
misconfiguration on your end somewhere. If you need help configuring your
firewall, http://www.cert.org may be a good place to get some information.
You should not accuse other systems of suspicious activity without very
good reason, and you need to have enough knowledge of the network protocols
your firewall is dealing with to know what constitutes "very good reason".
-Bill
*****************************
Waveform Technology
UNIX Systems Administrator