[lug] how many ways to relay port 220?

D. Stimits stimits at comcast.net
Tue Jan 20 12:23:17 MST 2004


jjh-mlug at vieorhythms.com wrote:

> >>>>>"D" == D Stimits  writes:
>
>
> D> Bear Giles wrote:
> D> I'm positive nothing is there. In fact I have noticed now 3 KRUD
> D> machines, 7.3, 8.0, and 9.0, all doing the same thing, and all
> D> intercepted and blocked by the firewall.
>
> D> Partial detail now is that each machine will attempt to go outbound
> D> to the same port 220 ip address, using local port 6129. Each occurs
> D> regularly, but at different time offsets, e.g., maybe 5 minutes
> D> apart. It is as if networks are being scanned and when they reach the
> D> machine, it triggers.
>
> Okay, this may be pretty basic, but have you checked the RedHat Update
> Agent?  I don't know much about its inner workings , but it goes out and
> makes a request to RedHat every so often.  Maybe every 5 minutes or so.
> I think that matches your profile as I understand it (something on your
> machines makes regular requests to a specific port on another range of
> machines).

I have the agent, but don't use it, I go to the ftp site (or sometimes 
krud2date) and download directly.

>
> Have you done a reverse DNS lookup on those ip addresses it is attempting
> to contact and see who owns them?


They are almost all random dialup or similar accounts throughout the 
world. None seem to be legitimate. It really looks like a relay though, 
with the sender using a scan of ip's and not caring that it is failing. 
When I get my new video card (I am waiting for the 3rd one, local 
borrowed cards tell me my hardware is just fine) though, this one 
machine will get reinstalled, and used as a test to see if the attempts 
cease.

D. Stimits, stimits AT comcast DOT net




More information about the LUG mailing list