Security Incidents mailing list archives
Re: Portscanning from 211.42.135.14
From: Max Gribov <mgribov () KPLAB COM>
Date: Mon, 14 Aug 2000 14:20:18 -0400
looks like a sort of a hack attemp, for example, connection to ftpd could indicate ftp exploit attemt, or a scanning tool used for probing for exploits, and so on, but by no means take my word for it. however, i portscanned this machine, and here is what i got: Starting nmap V. 2.3BETA6 by Fyodor (fyodor () dhp com, www.insecure.org/nmap/) Interesting ports on (211.42.135.14): Port State Protocol Service 21 open tcp ftp 23 open tcp telnet 25 open tcp smtp 53 open tcp domain 80 open tcp http 110 open tcp pop-3 113 open tcp auth later on, i connected to http on that machine, and it turned out to be a korean machine. considering how many korean boxes were rooted recently, my best guess would be someone rooted this one, and is using it as a platform for scans/cracks. i think you should contact site administrator of 211.42.135.14 and tell him/her about this. aq () aq co kr is the email address i pulled off their website. have fun reading korean : ) ----- Original Message ----- From: Ben Ostrowsky <ostrowb () TBLC ORG> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Monday, August 14, 2000 9:51 AM Subject: Portscanning from 211.42.135.14
The following attempts appeared in our syslog recently:Aug 12 04:00:25 snoopy sshd[25585]: log: Connection from 211.42.135.14 port 1339 Aug 12 04:00:25 snoopy sshd[25585]: log: Could not reverse map address 211.42.135.14. Aug 12 04:00:25 snoopy sshd[25585]: fatal: Did not receive ident string. Aug 12 04:00:36 snoopy sshd[25592]: log: Connection from 211.42.135.14 port 1349 Aug 12 04:00:36 snoopy sshd[25592]: log: Could not reverse map address 211.42.135.14. Aug 12 04:01:48 snoopy ftpd[25598]: lost connection to 211.42.135.14 [211.42.135.14] Aug 12 04:01:48 snoopy sshd[25592]: fatal: Did not receive ident string. Aug 12 04:00:19 snoopy imapd[25582]: connect from 211.42.135.14 Aug 12 04:00:25 snoopy imapd[25586]: connect from 211.42.135.14 Aug 12 04:00:25 snoopy in.ftpd[25588]: connect from 211.42.135.14 Aug 12 04:00:27 snoopy in.telnetd[25591]: warning: can't get client address: Connection reset by peer Aug 12 04:01:01 snoopy in.ftpd[25598]: connect from 211.42.135.14 Aug 12 04:01:52 snoopy in.telnetd[25711]: warning: can't get client address: Connection reset by peer Aug 12 04:00:21 snoopy imapd[25582]: command stream end of file, while reading line user=??? host=[211.42.135.14] Aug 12 04:00:24 snoopy ipop3d[25583]: Command stream end of file while reading line user=??? host=[211.42.135.14] Aug 12 04:00:25 snoopy imapd[25586]: command stream end of file, while reading line user=??? host=[211.42.135.14]I tried 'dig -x 211.42.135.14 soa' but got no useful information. I'm curious: does anyone know who just portscanned us? Does the pattern look familiar? -- Ben Ostrowsky, Automation Services Technologist Tampa Bay Library Consortium - http://www.tblc.org/
Current thread:
- Portscanning from 211.42.135.14 Ben Ostrowsky (Aug 14)
- Re: Portscanning from 211.42.135.14 Max Gribov (Aug 15)
- Re: Portscanning from 211.42.135.14 Patrick Oonk (Aug 15)
- <Possible follow-ups>
- Re: Portscanning from 211.42.135.14 玉造 光緒 (Aug 15)
- Re: Portscanning from 211.42.135.14 Bill Hayes (Aug 15)
- Re: Portscanning from 211.42.135.14 Bill Royds (Aug 18)