Re: who is trying to connect to my port 80?

[ABrady <kcsmart kc rr com>]

On Sat, 8 Sep 2001 20:01:50 -0700 (PDT) Hyung Kim <spok_1 yahoo com>
imparted to us:

> 
> I have an ADSL connection at home with an ipchains
> firewall.  Several times a day, I get dozens of
> entries in /var/log/messages stating that connection
> attemtps to my port 80 have been rejected.  These are
> not full portscans.  Can anyone tell me who might be
> doing this?  I am not running an http server.
> 
> Some of the source IPs are listed below:
> 64.167.239.161:4073
> 64.109.175.172:3039
> 64.109.179.176:1137
> 
> Is this something I sould be concerned about?  Thanks

Using whois:

$ whois -h whois.arin.net 64.167.239.161
Pacific Bell Internet Services,Inc. (NETBLK-PBI-NET-8) PBI-NET-8
                                                   64.160.0.0 -
64.175.255.255
SCRM01 ADSL Rback10 PPPoX (NETBLK-SBCIS-1001117-122240)
SBCIS-1001117-122240
                                                 64.167.236.0 -
64.167.239.255

To single out one record, look it up with "!xxx", where xxx is the
handle, shown in parenthesis following the name, which comes first.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.

So, if your ADSL is being provided by PACBELL, they're probably probing
for servers (in this example) to see if you have any. If you have
service with somebody else, you could be getting hit by CodeRed or
something else. If CodeRed or SirCam or one of those of that type,
nothing to worry about.

Here's another which will cover the other addresses and may be more or
less significant:

$ whois -h whois.arin.net 64.109.175.172
Ameritech (NETBLK-NET-AIT-ADSL1)NET-AIT-ADSL1      64.108.0.0 -
64.109.255.255
PPPoX Pool4 - Rback1 (NETBLK-SBCIS-1001212-143052) SBCIS-1001212-143052
                                                 64.109.168.0 -
64.109.175.255

To single out one record, look it up with "!xxx", where xxx is the
handle, shown in parenthesis following the name, which comes first.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.

Same thing as above applies. Except this time it's Ameritech that owns
the addresses. They may be scanning for services.

If the only port you're getting hit on is 80, it isn't a portscan. The
only thing anybody could ascertain by scanning port 80 is that you have
or don't have a server running, what server type of software and whether
or not you use linux. If they still aren't trying to hit you on telnet
or lpr or nameserver ports (plus a few more), they aren't likely looking
for weak spots to start trouble.

-- 
What we really need is a moment of science in public schools.