<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Welcome to the Internet!<br>
<br>
It's a fact of life when having equipment connected to the Internet.
The script kiddies are always probing and trying.<br>
<br>
Lyle<br>
<br>
Bruce B wrote:
<blockquote
cite="mid:AANLkTi=FX=mbMXW_s1Ur2rRm1u9bm6FQHmOXtD3vb98Z@mail.gmail.com"
type="cite">And that's the problem. There is no such service running
or such port is not open. They only keep trying this for no reason. It
might cost us bandwidth for no reason. In fact there is no open ports
on our network whatsoever.
<div><br>
</div>
<div>Thanks<br>
<br>
<div class="gmail_quote">On Mon, Nov 8, 2010 at 9:50 PM, Lyle Giese <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:lyle@lcrcomputer.net">lyle@lcrcomputer.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">
<div>
<div class="h5">Bruce B wrote:
<blockquote type="cite">Hi Everyone,
<div><br>
</div>
<div>I have pfSense running which supplies Asterisk with DHCP. I
had
some testing ports opened for a web server which I have totally closed
now but when I chose option 10 (filter log) on pfSense I get all of
this type of traffic (note that it was only 1 single IP and once I
blocked that one it was like opening a can full of bees with all
different IPs):</div>
<div><br>
</div>
<div>
<div><br>
</div>
<div><br>
</div>
<div>tcpdump: WARNING: pflog0: no IPv4 address assigned</div>
<div>tcpdump: verbose output suppressed, use -v or -vv for full
protocol decode</div>
<div>listening on pflog0, link-type PFLOG (OpenBSD pflog file),
capture size 96 bytes</div>
<div>000000 rule 70/0(match): block in on vr1:
221.132.34.165.33556
> 69.90.78.53.52229: tcp 20 [bad hdr length 0 - too short, < 20]</div>
<div>6. 239658 rule 70/0(match): block in on vr1:
121.207.254.227.6667 > 69.90.78.38.3072: tcp 24 [bad hdr length 0 -
too short, < 20]</div>
<div>7. 986724 rule 70/0(match): block in on vr1:
61.231.237.223.4155
> 69.90.78.62.445: tcp 28 [bad hdr length 0 - too short, < 20]</div>
<div>2. 867707 rule 70/0(match): block in on vr1:
61.231.237.223.4155
> 69.90.78.62.445: tcp 28 [bad hdr length 0 - too short, < 20]</div>
<div>2. 799337 rule 70/0(match): block in on vr1:
186.36.73.212.4545
> 69.90.78.56.445: tcp 28 [bad hdr length 0 - too short, < 20]</div>
<div>2. 931814 rule 70/0(match): block in on vr1:
186.36.73.212.4545
> 69.90.78.56.445: tcp 28 [bad hdr length 0 - too short, < 20]</div>
<div>1. 574556 rule 70/0(match): block in on vr1:
190.7.59.45.1341
> 69.90.78.43.445: tcp 28 [bad hdr length 0 - too short, < 20]</div>
<div>2. 956066 rule 70/0(match): block in on vr1:
190.7.59.45.1341
> 69.90.78.43.445: tcp 28 [bad hdr length 0 - too short, < 20]</div>
<div>1. 598334 rule 70/0(match): block in on vr1:
2.95.19.121.3463
> 69.90.78.42.445: tcp 20 [bad hdr length 8 - too short, < 20]</div>
<div>072759 rule 70/0(match): block in on vr1:
123.192.177.2.54518
> 69.90.78.43.445: tcp 20 [bad hdr length 8 - too short, < 20]</div>
<div>109451 rule 70/0(match): block in on vr1:
219.163.19.138.3723
> 69.90.78.63.445: tcp 28 [bad hdr length 0 - too short, < 20]</div>
<div>2. 731065 rule 70/0(match): block in on vr1:
2.95.19.121.3463
> 69.90.78.42.445: tcp 16 [bad hdr length 12 - too short, < 20]</div>
<div>159413 rule 70/0(match): block in on vr1:
123.192.177.2.54518
> 69.90.78.43.445: tcp 20 [bad hdr length 8 - too short, < 20]</div>
<div>374293 rule 70/0(match): block in on vr1:
219.163.19.138.3723
> 69.90.78.63.445: tcp 16 [bad hdr length 12 - too short, < 20]</div>
<div>10. 234202 rule 70/0(match): block in on vr1:
189.105.69.200.2413 > 69.90.78.52.445: tcp 20 [bad hdr length 12 -
too short, < 20]</div>
<div>2. 985558 rule 70/0(match): block in on vr1:
189.105.69.200.2413
> 69.90.78.52.445: tcp 20 [bad hdr length 12 - too short, < 20]</div>
<div>13. 236084 rule 70/0(match): block in on vr1:
82.51.36.230.2923
> 69.90.78.35.445: tcp 16 [bad hdr length 12 - too short, < 20]</div>
<div>2. 982122 rule 70/0(match): block in on vr1:
82.51.36.230.2923
> 69.90.78.35.445: tcp 16 [bad hdr length 12 - too short, < 20]</div>
<div>18. 493312 rule 70/0(match): block in on vr1:
218.16.118.242.80
> 69.90.78.47.39781: tcp 16 [bad hdr length 12 - too short, < 20]</div>
<div>2. 477084 rule 70/0(match): block in on vr1:
218.16.118.242.80
> 69.90.78.47.39781: tcp 16 [bad hdr length 12 - too short, < 20]</div>
<div>9. 777792 rule 70/0(match): block in on vr1:
121.243.16.214.1677
> 69.90.78.54.445: tcp 16 [bad hdr length 12 - too short, < 20]</div>
<div>1. 216002 rule 70/0(match): block in on vr1:
172.168.0.4.1568
> 69.90.78.49.445: [|tcp]</div>
<div>321600 rule 70/0(match): block in on vr1: 72.179.18.165.2854
> 69.90.78.55.445: tcp 20 [bad hdr length 8 - too short, < 20]</div>
<div>1. 383839 rule 70/0(match): block in on vr1:
121.243.16.214.1677
> 69.90.78.54.445: [|tcp]</div>
<div>1. 466115 rule 70/0(match): block in on vr1:
72.179.18.165.2854
> 69.90.78.55.445: [|tcp]</div>
<div>7. 977140 rule 70/0(match): block in on vr1:
41.72.209.67.4532
> 69.90.78.36.445: [|tcp]</div>
<div>2. 920013 rule 70/0(match): block in on vr1:
41.72.209.67.4532
> 69.90.78.36.445: [|tcp]</div>
<div>29. 032839 rule 70/0(match): block in on vr1:
201.168.49.13.1404
> 69.90.78.55.445: [|tcp]</div>
<div>2. 996906 rule 70/0(match): block in on vr1:
201.168.49.13.1404
> 69.90.78.55.445: [|tcp]</div>
<div>62. 079279 rule 70/0(match): block in on vr1:
82.165.131.28.6005
> 69.90.78.47.1024: [|tcp]</div>
<div>34. 224871 rule 67/0(match): block in on vr1:
77.34.234.241.1899
> 69.90.78.43.445: [|tcp]</div>
<div>3. 006367 rule 67/0(match): block in on vr1:
77.34.234.241.1899
> 69.90.78.43.445: [|tcp]</div>
<div>20. 274886 rule 67/0(match): block in on vr1:
66.211.120.62.1132
> 69.90.78.55.445: [|tcp]</div>
<div>2. 893859 rule 67/0(match): block in on vr1:
66.211.120.62.1132
> 69.90.78.55.445: [|tcp]</div>
<div>28. 739620 rule 67/0(match): block in on vr1:
117.197.247.151.1042 > 69.90.78.55.445: [|tcp]</div>
<div>2. 936286 rule 67/0(match): block in on vr1:
117.197.247.151.1042 > 69.90.78.55.445: [|tcp]</div>
<div>1. 207250 rule 67/0(match): block in on vr1:
118.171.176.188.42965 > 69.90.78.43.445: [|tcp]</div>
<div>3. 015370 rule 67/0(match): block in on vr1:
118.171.176.188.42965 > 69.90.78.43.445: [|tcp]</div>
<div>7. 088359 rule 67/0(match): block in on vr1: 61.130.103.10
> <a moz-do-not-send="true" href="http://69.90.78.42"
target="_blank">69.90.78.42</a>:
[|icmp]</div>
<div>11. 825521 rule 67/0(match): block in on vr1:
71.100.221.211.4521 > 69.90.78.33.445: [|tcp]</div>
<div>2. 316564 rule 67/0(match): block in on vr1: 61.130.103.10
> <a moz-do-not-send="true" href="http://69.90.78.42"
target="_blank">69.90.78.42</a>:
[|icmp]</div>
<div>626845 rule 67/0(match): block in on vr1:
71.100.221.211.4521
> 69.90.78.33.445: tcp 20 [bad hdr length 8 - too short, < 20]</div>
<div>5. 041794 rule 67/0(match): block in on vr1:
95.224.51.107.1378
> 69.90.78.48.1434: UDP, length 376</div>
<div>8. 978999 rule 67/0(match): block in on vr1:
221.132.34.165.33556 > 69.90.78.53.52229: [|tcp]</div>
<div>8. 067764 rule 67/0(match): block in on vr1:
117.22.229.187.2882
> 69.90.78.36.1434: UDP, length 376</div>
<div>7. 936396 rule 67/0(match): block in on vr1:
117.211.83.182.1919
> 69.90.78.59.445: [|tcp]</div>
<div>2. 890145 rule 67/0(match): block in on vr1:
117.211.83.182.1919
> 69.90.78.59.445: [|tcp]</div>
<div>4. 611658 rule 67/0(match): block in on vr1:
61.32.84.165.2561
> 69.90.78.43.445: [|tcp]</div>
<div>007399 rule 67/0(match): block in on vr1: 69.39.235.5.5060
>
69.90.78.40.5060: SIP, length: 403</div>
<div>2. 932101 rule 67/0(match): block in on vr1:
61.32.84.165.2561
> 69.90.78.43.445: [|tcp]</div>
<div>14. 157570 rule 67/0(match): block in on vr1:
83.239.20.74.3191
> 69.90.78.54.445: [|tcp]</div>
<div>2. 229645 rule 67/0(match): block in on vr1:
75.97.10.248.2556
> 69.90.78.54.445: [|tcp]</div>
<div>773124 rule 67/0(match): block in on vr1: 83.239.20.74.3191
>
69.90.78.54.445: [|tcp]</div>
<div>2. 102083 rule 67/0(match): block in on vr1:
75.97.10.248.2556
> 69.90.78.54.445: [|tcp]</div>
<div>6. 378646 rule 67/0(match): block in on vr1:
114.42.222.45.31689
> 69.90.78.39.445: [|tcp]</div>
<div>2. 950717 rule 67/0(match): block in on vr1:
114.42.222.45.31689
> 69.90.78.39.445: [|tcp]</div>
<div>6. 111112 rule 67/0(match): block in on vr1:
186.122.147.6.32221
> 69.90.78.45.445: [|tcp]</div>
<div>3. 608465 rule 67/0(match): block in on vr1:
186.122.147.6.32221
> 69.90.78.45.445: [|tcp]</div>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks,</div>
<div><br>
</div>
</blockquote>
</div>
</div>
Always in cases like this find out what service might be targeted.
What's on tcp port 445? Microsoft-Directory Services<br>
<br>
Enough said. The script kiddies have a new tool to play with to break
into Microsoft based systems...<br>
<br>
Lyle<br>
<br>
</div>
<br>
--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a moz-do-not-send="true"
href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a>
--<br>
New to Asterisk? Join us for a live introductory webinar every Thurs:<br>
<a moz-do-not-send="true"
href="http://www.asterisk.org/hello" target="_blank">http://www.asterisk.org/hello</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a moz-do-not-send="true"
href="http://lists.digium.com/mailman/listinfo/asterisk-users"
target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br>
</blockquote>
</div>
<br>
</div>
</blockquote>
<br>
</body>
</html>