Hi On 15 July 2003 17:40, DNSAdmin wrote: > I think that is a Windows vulnerability they are trying to exploit?
Not necessarily... This could well be a client of yours, or a client of a client, or a regular visitor to a single website on your machine. Or someone who sends email to someone using your machine for email (you get the idea). Before anybody runs off saying "but that's a WINDOWS PORT!", hear me out: older, slightly more brain-dead windows versions - I forget which, exactly, but ISTR 95, 98, 98se and ME as culprits - often tried to prefix every TCP connection with a NetBIOS namelookup attempt. This was frequently because they couldn't determine the difference between local and non-local remote hosts, or were misconfigured to specifically attempt DNS using NetBIOS before doing anything else. It could, just as easily, be someone scanning you: but if they keep hitting a non-operational port, what do you have to worry about? There is no need, whatsoever, for you to monitor port 135, unless you're running services upon it. Doing so is a little like keeping an eye on a specific brick in the wall of your house, just in case someone tries to chisel the mortar out and look through the hole. I'd look through your mail logs and see if that IP address features in there at all. I'll wager you'll find POP3 connections from it, every fifteen minutes, for hours on end. Graeme Regards Graeme Fowler Team Leader - Nottingham Technical Services Host Europe PLC _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
