barteh
Member
Registered: 18th Jan 05
User status: Offline
|
Right, im a bit worried about this, so i thought id ask for an opinion.
the network at work is behind a router, which has port forwarding on, just to go to one PC.
This one PC is an email server. The forwarding allows people to access the email server from home and read/write emails etc.
Just checking the logs on the router, there is way too much action going on, take a look:
Thu, 2005-02-03 15:33:37 - TCP Packet - Source:69.155.117.240,61641 Destination:192.168.0.99,139 - [Any(ALL) match]
Thu, 2005-02-03 15:33:37 - Send E-mail Success!
Thu, 2005-02-03 15:33:39 - TCP Packet - Source:69.155.117.240,4431 Destination:192.168.0.99,139 - [Any(ALL) match]
Thu, 2005-02-03 15:33:40 - TCP Packet - Source:216.146.70.114,3257 Destination:192.168.0.99,139 - [Any(ALL) match]
Thu, 2005-02-03 15:34 1 - TCP Packet - Source:69.155.117.240,1659 Destination:192.168.0.99,139 - [Any(ALL) match]
Thu, 2005-02-03 15:341 - TCP Packet - Source:69.155.117.240,60791 Destination:192.168.0.99,139 - [Any(ALL) match]
Thu, 2005-02-03 15:346 - TCP Packet - Source:69.155.117.240,1863 Destination:192.168.0.99,139 - [Any(ALL) match]
Thu, 2005-02-03 15:346 - TCP Packet - Source:69.155.117.240,61169 Destination:192.168.0.99,139 - [Any(ALL) match]
Thu, 2005-02-03 15:34:31 - UDP Packet - Source:212.59.3.94,1027 Destination:192.168.0.99,137 - [Any(ALL) match]
Thu, 2005-02-03 15:34:32 - TCP Packet - Source:212.59.3.94,3135 Destination:192.168.0.99,139 - [Any(ALL) match]
Thu, 2005-02-03 15:34:33 - TCP Packet - Source:69.155.117.240,3020 Destination:192.168.0.99,139 - [Any(ALL) match]
Thu, 2005-02-03 15:34:33 - TCP Packet - Source:69.155.117.240,61030 Destination:192.168.0.99,139 - [Any(ALL) match]
Thu, 2005-02-03 15:34:36 - TCP Packet - Source:69.155.117.240,3145 Destination:192.168.0.99,139 - [Any(ALL) match]
Thu, 2005-02-03 15:34:40 - TCP Packet - Source:69.155.117.240,3354 Destination:192.168.0.99,139 - [Any(ALL) match]
Thu, 2005-02-03 15:34:44 - UDP Packet - Source:66.238.253.123,34485 Destination:192.168.0.99,1027 - [Any(ALL) match]
Thu, 2005-02-03 15:34:44 - UDP Packet - Source:66.238.253.123,34485 Destination:192.168.0.99,1026 - [Any(ALL) match]
Thu, 2005-02-03 15:34:45 - TCP Packet - Source:69.155.117.240,3627 Destination:192.168.0.99,139 - [Any(ALL) match]
Thu, 2005-02-03 15:34:45 - TCP Packet - Source:69.155.117.240,61759 Destination:192.168.0.99,139 - [Any(ALL) match]
Thu, 2005-02-03 15:35:16 - TCP Packet - Source:69.155.117.240,1379 Destination:192.168.0.99,139 - [Any(ALL) match]
Thu, 2005-02-03 15:35:40 - TCP Packet - Source:193.77.138.184,39506 Destination:192.168.0.99,11061 - [Any(ALL) match]
Thu, 2005-02-03 15:35:42 - TCP Packet - Source:216.146.70.114,3505 Destination:192.168.0.99,139 - [Any(ALL) match]
Thu, 2005-02-03 15:366 - TCP Packet - Source:69.155.117.240,3212 Destination:192.168.0.99,139 - [Any(ALL) match]
Thu, 2005-02-03 15:366 - TCP Packet - Source:69.155.117.240,60117 Destination:192.168.0.99,139 - [Any(ALL) match]
Thu, 2005-02-03 15:368 - TCP Packet - Source:69.155.117.240,3452 Destination:192.168.0.99,139 - [Any(ALL) match]
Thu, 2005-02-03 15:368 - TCP Packet - Source:69.155.117.240,60474 Destination:192.168.0.99,139 - [Any(ALL) match]
Thu, 2005-02-03 15:36:10 - TCP Packet - Source:69.155.117.240,3565 Destination:192.168.0.99,139 - [Any(ALL) match]
Thu, 2005-02-03 15:36:10 - TCP Packet - Source:69.155.117.240,60586 Destination:192.168.0.99,139 - [Any(ALL) match]
Thu, 2005-02-03 15:36:14 - TCP Packet - Source:69.155.117.240,3728 Destination:192.168.0.99,139 - [Any(ALL) match]
Thu, 2005-02-03 15:36:14 - TCP Packet - Source:69.155.117.240,60817 Destination:192.168.0.99,139 - [Any(ALL) match]
Thu, 2005-02-03 15:36:46 - TCP Packet - Source:69.155.117.240,1164 Destination:192.168.0.99,139 - [Any(ALL) match]
Thu, 2005-02-03 15:36:46 - TCP Packet - Source:69.155.117.240,61846 Destination:192.168.0.99,139 - [Any(ALL) match]
Thu, 2005-02-03 15:36:47 - UDP Packet - Source:222.208.168.126,49702 Destination:192.168.0.99,1026 - [Any(ALL) match]
Thu, 2005-02-03 15:36:47 - UDP Packet - Source:222.208.168.126,46509 Destination:192.168.0.99,1026 - [Any(ALL) match]
Thu, 2005-02-03 15:36:47 - UDP Packet - Source:222.208.168.126,49574 Destination:192.168.0.99,1027 - [Any(ALL) match]
Thu, 2005-02-03 15:36:47 - UDP Packet - Source:222.208.168.126,46509 Destination:192.168.0.99,1027 - [Any(ALL) match]
Thu, 2005-02-03 15:374 - TCP Packet - Source:216.146.70.114,3505 Destination:192.168.0.99,139 - [Any(ALL) match]
Thu, 2005-02-03 15:375 - TCP Packet - Source:216.146.70.114,3655 Destination:192.168.0.99,139 - [Any(ALL) match]
Can anyone shed any light on this?
:-s
|
barteh
Member
Registered: 18th Jan 05
User status: Offline
|
where 192.168.0.99 is the server.
|
Dom
Member
Registered: 13th Sep 03
User status: Offline
|
someone probably did an IP/port scan, or a worm is trying to access...as long as they were blocked i wouldnt worry about it mate 
although do a lookup on ports 139, 1026( to 9) and see what uses them etc 
|
Ian
Site Administrator
Registered: 28th Aug 99
Location: Liverpool
User status: Offline
|
Port 139 shouldn't be in there, close it.
|
willay
Moderator
Organiser: South East, National Events
Premium Member
Registered: 10th Nov 02
Location: Roydon, Essex
User status: Offline
|
people scanning for port 139 open I'd guess, which is Netbios I think 
basically scanning for open shares.
|
Tim
Site Administrator
Registered: 21st Apr 00
User status: Offline
|
Yup 139/tcp is netbios (used in network shares) and 1026/1027/udp is the Messenger service (not MSN, but the thing that pops up messages on your screen -- you might have seen it on some office networks when your print job has finished it tells you, etc, etc)...
Why are they open? If it's just email, just open port 25/tcp (smtp) and 110/tcp (if you wanna allow pop3 for outside)
|
|
