MannyT
04-12-2003, 02:23 PM
Been dealing with spammer's relaying thru my 550.
I'm looking at my 550's Scan Detection log. My 550 is located in Southern CA.
61.220.49.186 is Asia Pacific Network Information Centre in Milton, AU.
217.21.114.142 is RIPE Network Coordination Centre in Amsterdam, NL.
Port 137 is a highly exploited netbios-ns TCP/UDP Windows Name Service.
Port 445 is microsoft-ds udp Microsoft-DS.
Port 3481 - don't know about this one.
Questions:
1. Does "!pass (8)" mean they got in?
2. What does "(8)" and "48 syn ! 40 rst (17)" mean?
3. Is there a web resource I can refer to re: these messages?
4. Does the below mean that these guys were able to get into my 550?
5. Is this the probable source of the spam relaying attempts, though my mail
log says "status=deferred" for all the attempted emails out?
Needless to say, I've blocked these 2 particular IP's.
thnx for any assist!
Manny
04/11/03-18:50:31 eth0 Firewall loaded
04/12/03-04:55:31 eth0:portscan: tcp [my ip address]/445 -> 61.220.49.186/29751 40 rst (17)
04/12/03-04:55:32 eth0:: udp [my ip address]/137 <- 61.220.49.186/137 78 !pass (8)
04/12/03-04:55:33 eth0:: udp [my ip address]/137 <- 61.220.49.186/137 78 !pass (8)
04/12/03-04:55:35 eth0:: udp [my ip address]/137 <- 61.220.49.186/137 78 !pass (8)
04/12/03-07:10:20 eth0:portscan: tcp [my ip address]/3128 -> 217.21.114.142/3481 40 rst (17)
04/12/03-07:10:21 eth0:: tcp [my ip address]/3128 <- 217.21.114.142/3481 48 syn !pass (8)
I'm looking at my 550's Scan Detection log. My 550 is located in Southern CA.
61.220.49.186 is Asia Pacific Network Information Centre in Milton, AU.
217.21.114.142 is RIPE Network Coordination Centre in Amsterdam, NL.
Port 137 is a highly exploited netbios-ns TCP/UDP Windows Name Service.
Port 445 is microsoft-ds udp Microsoft-DS.
Port 3481 - don't know about this one.
Questions:
1. Does "!pass (8)" mean they got in?
2. What does "(8)" and "48 syn ! 40 rst (17)" mean?
3. Is there a web resource I can refer to re: these messages?
4. Does the below mean that these guys were able to get into my 550?
5. Is this the probable source of the spam relaying attempts, though my mail
log says "status=deferred" for all the attempted emails out?
Needless to say, I've blocked these 2 particular IP's.
thnx for any assist!
Manny
04/11/03-18:50:31 eth0 Firewall loaded
04/12/03-04:55:31 eth0:portscan: tcp [my ip address]/445 -> 61.220.49.186/29751 40 rst (17)
04/12/03-04:55:32 eth0:: udp [my ip address]/137 <- 61.220.49.186/137 78 !pass (8)
04/12/03-04:55:33 eth0:: udp [my ip address]/137 <- 61.220.49.186/137 78 !pass (8)
04/12/03-04:55:35 eth0:: udp [my ip address]/137 <- 61.220.49.186/137 78 !pass (8)
04/12/03-07:10:20 eth0:portscan: tcp [my ip address]/3128 -> 217.21.114.142/3481 40 rst (17)
04/12/03-07:10:21 eth0:: tcp [my ip address]/3128 <- 217.21.114.142/3481 48 syn !pass (8)