July 4th, 2004, 01:23 AM
Ok, first off, I use firestarter firewall, and for quite some time the only hits I would get would be from from my roomates computer. ports 137(netbios-ns) and 138(netbios-dgm).
Well a few days ago I noticed that I have been getting quite a few hits from seemingly random ip's all in the same ip range and timeframe, all to ports that are in the upper 30,000's. After whois-ing these ip's, they all came from the same network in Utah. I live in Illinois and don't know anybody there.
There was one hit that wasn't in that range and had a service with it, it was to port 33270(trinity v3). After googleing, It turns out that trinity v3 is an old-er DDoS attack(Trinity v3 is also a neat old synth keyboard ). I was surprised to see that this DDoS is still being used. Anyways, a new hit came from my roomates computer, and this one was to port 520(firestarter said it was the router service.) Now, I don't know anything about the router service, but I thought that it was strange that it was coming from his computer. So I chose to block and stop logging all of these ports that have been hitting me.
Today I decided to nmap myself and usually I only have two open ports, ssh and rpcbind. The three ports that I blocked from my roomates computer came up as filtered(normal). but nmap said that port 520 is the efs service. Is this some sort of filesystem?
Does anybody know what the router/efs service is? Google seems to pukes at me when I search for either of these.
Today, I was checking my logs and I found this one in my security log:
Jun 30 18:53:51 localhost sshd: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
I can't figure out what caused this and I don't know how to fix it. Anybody know what this means? It seems like someone is messing w/ us, but it could all be just a big coincidence.
Any info would be a much aperciated.
-I'm having fun w/ these smilies.
I believe in making the world safe for our children, but not our childrenís children, because I donít think children should be having sex. -- Jack Handey
July 5th, 2004, 01:02 AM
Book mark this page, it's a list of all the ports.
The fact that your seeing both a routing service and efs on the same port is because one is TCP and one is UDP.
Beyond that, without looking at your firewall logs, it's hard to say exactly what is going on. 0.0.0.0 is used as either as a 'match exactly' address or an 'unkown' address, depending on whether your talking routing or access lists. So that's a bit funny too. If I was to take a wild-ass swing at the fence though, my guess is that someone is trying to mess with you.