Hi
I'm not an ISP but I keep getting this kind of activity on my modem:
+--------------------------+
omni:~# tcpdump -i ppp0 | grep unreachable
tcpdump: listening on ppp0
07:48:29.447038 211.26.118.133 > 211.26.122.178: icmp: 211.26.118.133 tcp port 135 unreachable [tos 0xc0]
07:48:29.459207 211.26.118.133 > 211.26.122.178: icmp: 211.26.118.133 tcp port 1025 unreachable [tos 0xc0]
07:48:29.479183 211.26.118.133 > 211.26.122.178: icmp: 211.26.118.133 tcp port 445 unreachable [tos 0xc0]
07:48:32.669674 211.26.118.133 > 211.26.122.178: icmp: 211.26.118.133 tcp port 445 unreachable [tos 0xc0]
07:48:32.687687 211.26.118.133 > 211.26.122.178: icmp: 211.26.118.133 tcp port 1025 unreachable [tos 0xc0]
07:48:32.709139 211.26.118.133 > 211.26.122.178: icmp: 211.26.118.133 tcp port 135 unreachable [tos 0xc0]
07:48:38.469164 211.26.118.133 > 211.26.122.178: icmp: 211.26.118.133 tcp port 445 unreachable [tos 0xc0]
07:48:38.499919 211.26.118.133 > 211.26.122.178: icmp: 211.26.118.133 tcp port 1025 unreachable [tos 0xc0]
07:48:38.500154 211.26.118.133 > 211.26.122.178: icmp: 211.26.118.133 tcp port 135 unreachable [tos 0xc0]
+--------------------------+
Omni is my Debian (Woody2.2.20 ipchains TrinityOS firewall) gateway for my natted LAN.
I realise I can save bandwidth by ignoring incoming requests, but there aren't that many and it's a convenient method of watching worm activity, mostly I add from within my own dialup pool.
Was curious as to the lists thoughts on some method of email notification back to the ip doing the worm like port scanning?
I assume that the compromised machine's owner is basically clueless as to what is going on. All well and true some tool like AntiVir could be utilized and another user brought a bit more upto lightspeed...
Ross
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
