portmap is a service associated with NFS, and I *think* a few RPC calls. It's a necessary element in NFS, though. This looks like some sort of bot or script that's been left running in the background until you screw up and turn this service on. I can recommend a couple things. You might want to add a black hole route for this guy, saying that the path to his box is through 127.0.0.1. You might want to start a little scripting project to remove lines containing "blah", listed in a conf file somewhere, from your logs on a periodic basis. I have a set of tools for removing all the "C:\...\winnt\" requests from my web server logs, courtesy of CR and nimbda. It'd be neat to expand that to something like a conf_file loaded into a Perl hash, then export each line that doesn't match anything in the hash to a tmp file, then copy the tmp file back to the original. I don't really "do" Perl yet, but I'm a little familiar with the vocab.
Any request blocked by an ipchains firewall, which is "doing its job", goes to logs. The idea is not to prevent logging, but to prune it and acclimate it once a harmless but persisten intruder has been identified. If someone spends a week scanning a port I don't have open, I figure they've left it running the background and waiting for a reply. It likely won't go away. I had a guy scan a particular port of mine several times a minute for over three months. I eventually just started "grep -v" removing his IP from my logs, but the firewall was doing its job. -- -j On Mon, 5 Nov 2001, Byron Como wrote: > Date: Mon, 05 Nov 2001 23:42:31 -0600 > From: Byron Como <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Subject: [brluglist] Sombody at my front door. > > The attached text file has the ip addresses that are interesting. I > personally don't think there is a problem because it seems like some > kind of automated script kiddie attack that is mindlessly plodding > along. Although my log files have rolled over, I did write down the name > of the machine that appeared in an earlier logfile from which there were > attempted connects: charcot.neurology.washington.edu. Anybody care to > characterize what these logfile entries mean? > ================================================ BRLUG - The Baton Rouge Linux User Group Visit http://www.brlug.net for more information. Send email to [EMAIL PROTECTED] to change your subscription information. ================================================
