Connection attempts from another Linode?

Interesting. Port 135 is also associated with a Windows DCOM RPC exploit. The Blaster worm is an example of something that took advantage of it. Odd that you'd be seeing probes from a linode on that port.

Yeah, I also thought this. Below is what I saw (but I'll X out my IP):

Feb 21 23:42:58 starchild kernel: Connection attempt (PRIV): IN=eth0 OUT= MAC=fe:fd:42:a0:8d:1e:00:b0:4a:6c:76:53:08:00 SRC=66.160.179.133 DST=XX.XXX.XXX.XX LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=9883 DF PROTO=TCP SPT=1841 DPT=135 WINDOW=64240 RES=0x00 SYN URGP=0

Resolves to:

66.160.179.133

Blacklist Status: Clear

Record Type: IP Address

IP Location: United States - California - San Jose - Cooplabs Inc

Reverse IP: No websites hosted using this IP address

Reverse DNS: cust-66-160-179-133.static.pcwi.net

–------------------------------------------------------------------------------

Hurricane Electric HURRICANE-7 (NET-66-160-128-0-1)

66.160.128.0 - 66.160.207.255

Cooplabs Inc HURRICANE-CE1505-491 (NET-66-160-179-0-1)

66.160.179.0 - 66.160.179.255

I'm wondering if this is a non-Linode HE device.

Cooplabs is an ISP based in San Jose, where HE has a large facility. The RDNS points to Pacific Coast Wireless Internet, whose coverage area is just south-east of San Jose. HE probably supply connectivity to these people.

Feb 22 22:00:20 starchild kernel: Blocked hosts violation: IN=eth0 OUT= MAC=fe:fd:42:a0:8d:1e:00:b0:4a:6c:76:53:08:00 SRC=66.160.179.133 DST=XX.XXX.XXX.XX LEN=48 TOS=0x00 PREC=0x00 TTL=122 ID=56908 DF PROTO=TCP SPT=4033 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0

Seening port 445 traffic now. Of course, I blocked the IP not long ago.

pclissold, thanks for pointing out that this isn't some host at the HE facility.