[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Why is ADP port scanning ?




[Redacted]

Answer: it is not.

>This IP address was located in the log files
>140.239.226.141 on Oct 8, 11 and 15th
>Two more trys 10/15/02
>     ALARM TYPE: Block
[whois query deleted]
>      IP PACKET: TCP  [140.239.226.141/33902]-->[64.80.161.170/25]  l=0 f=0x2
>
>                     [wks141.actwin.com/33902]-->[64.80.161.170/smtp]
>
[other instances deleted]

Explanation:

This shows an attempt by the server on 140.239.226.141 to connect to port 
25 on the server at 64.80.161.170. A quick query in dig to locate the MX 
(Mail eXchanger) records for actwin.com comes back with:

;; ADDITIONAL SECTION:
smtp.actwin.com.        86400   IN      A       140.239.226.141
mailhub.actwin.com.     86400   IN      A       140.239.226.141
mail.actwin.com.        86400   IN      A       140.239.226.141

This indicates that 140.239.226.141 is actwin.com's primary mail server. 
64.80.161.170 fails with a `dig -x` query (meaning the IP address can not 
be resolved back to a name).

Summary:

What this all means is that the actwin.com mailserver tried to send an 
email message to your server via SMTP, which is the Simple Mail Transfer 
Protocol (the standard used on the Internet). You and/or petswarehouse 
apparently has this machine firewalled so that it denies incoming SMTP 
connections from remote mail servers. Presumably someone sent a message 
from that machine with IP 64.80.161.170, which means someone either 
intentionally sent a message from there, has a misconfigured mail client 
that is trying to act as it's own mail server, or has a misconfigured DNS 
zone indicating that machine as a primary MX for some domain.

A port scan will normally go through many ports in order and in very rapid 
succession. As a systems administrator for an ISP I have a lot of 
experience being on the receiving end of such things.

Possible Solutions:

I suggest checking your DNS *server* configuration and possibly the mail 
client you are using on the machine in question. There is certainly some 
misconfiguration on your end somewhere. If you need help configuring your 
firewall, http://www.cert.org may be a good place to get some information. 
You should not accuse other systems of suspicious activity without very 
good reason, and you need to have enough knowledge of the network protocols 
your firewall is dealing with to know what constitutes "very good reason".

         -Bill

*****************************
Waveform Technology
UNIX Systems Administrator