53 is DNS. I get a lot of "probes" because I don't allow TCP connections
(it's a UDP protocol, although TCP is used for zone xfers which I don't
allow). Unless the same IP is hitting your port 53 repeatedly, it's
probably nothing to worry about.
To keep from being vulnerable to nasties such as the Lion worm, make sure
to upgrade your BIND to a version later than 8.2.2 (ie, 8.2.3 (non-beta)
and above).
111 is the SunRPC. Be sure that's blocked, although not all attempts at
that port are "scans" (unless, of course, it's hammering away or hitting an
entire block of addresses).
137 is NetBIOS and I write that off to someone using a PC (I see this on my
webserver all the time). Nothing to worry about.
The above is my personal opinion. YMMV.
At 01:31 PM 4/5/2001 -0500, Lindsey Simon wrote:
>I've been wondering why I get so many probes on port 53, what's the
>popular exploit on it?
>
>JonesMB in message Re: [SECURITY] [DSA 045-1] ntp remote root exploit
>fixed (Thu, 04/05 12:40):
>
> > >>I guess we should expect a whole lot of attempts to connect to the ports
> > >>used by NTP once the script kiddies figure this one out.
> > >>
> > >>I probably average about 20 connect attempts to ports 53 and 111
> every day.
> > >
> > >port 137 has also a good average.
> >
> > oh yeah, I forgot about that one, along with 27374.
> >
> > jmb
> >
> >
> > --
> > To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> > with a subject of "unsubscribe". Trouble? Contact
> [EMAIL PROTECTED]
>
>
>--
>To UNSUBSCRIBE, email to [EMAIL PROTECTED]
>with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
--
Eric N. Valor
Webmeister/Inetservices
Lutris Technologies
[EMAIL PROTECTED]
- This Space Intentionally Left Blank -
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
