--------------------[snip]--------------------
>On Oct 27, 2002, 20:19 (+0100) Wolfgang Pfeiffer wrote:
>
>> that most of these activities is harmless ... but when they
>> explain here:
>> http://www.dshield.org/ports/port137.html
>> that "Windows has the habit of "probing" port 137" I can't relate this
>> to the scanning activities against my machine, because the WWW. pages
>> I try to access seem to be different from the machine that probe me ..
>
>... *most* of them are different ...
>
>For example when I sent my previous message to this list I got
>"probed" (or whatever it is) by 66.187.233.31 on 113: 113 seems to be
>a sendmail port, and the IP seems to be a Redhat one :) ... and I sent
>my message with sendmail ...
>
>/var/log/messages:
>##########################
>[ ... ]
>Oct 27 20:20:00 <machine name> kernel: Packet log: input DENY ppp0
>PROTO=6 66.187.233.31:2947 80.138.166.77:113 L=60 S=0x00 I=56227
>F=0x4000 T=54 SYN (#2)
>Oct 27 20:20:03 <machine name> kernel: Packet log: input DENY ppp0
>PROTO=6 66.187.233.31:2947 80.138.166.77:113 L=60 S=0x00 I=56313
>F=0x4000 T=56 SYN (#2)
>#########################
--------------------[snip]--------------------
Copy/Paste from the SUSE security list:
Date: Sat, 25 Sep 1999 10:29:35 +0200
From: Gerhard Sittig <[EMAIL PROTECTED]>
Subject: Re: [suse-security] Port 113?
On Thu, Sep 23, 1999 at 12:21 +0200, Jochen Lillich wrote:
>
> Our firewall detects (and denies) connections from our external web
> server to our mail servers port 113 (ident). What causes the web
> server to use that port? And should I permit these connections?
:! grep -w 113 /etc/services
auth 113/tcp tap ident authentication
This is usually referenced from the remote host back to you when
you relay mail there. Is there smtp traffic in company with
these events? You might want to log them for investigation.
>O Ernest E. Vogelsinger /~\ The ASCII
(\) ICQ #13394035 \ / Ribbon Campaign
^ X Against
/ \ HTML Email
