Security Incidents mailing list archives
Probe from UK Provider ?
From: duarte.cordeiro () ARVORE PT (Duarte Cordeiro)
Date: Tue, 18 Jan 2000 20:31:59 -0000
Today some guy over here downloaded something from ftp.fishnet.co.uk , and we started to get these entries in our firewall: Jan 18 15:48:36 gw kernel: Packet log: input REJECT eth0 PROTO=6 194.159.150.13: 1161 <my_ip_addr>:80 L=562 S=0x00 I=58886 F=0x4000 T=109 Jan 18 16:45:05 gw kernel: Packet log: input REJECT eth0 PROTO=6 194.159.150.13: 7811 <my_ip_addr>:25 L=562 S=0x00 I=22964 F=0x4000 T=109 Jan 18 16:45:44 gw kernel: Packet log: input REJECT eth0 PROTO=6 194.159.150.13: 35303 <my_ip_addr>:25 L=562 S=0x00 I=61876 F=0x4000 T=109 Jan 18 16:45:44 gw kernel: Packet log: input REJECT eth0 PROTO=6 194.159.150.13: 35303 <my_ip_addr>:25 L=562 S=0x00 I=61876 F=0x4000 T=109 Jan 18 16:46:21 gw kernel: Packet log: input REJECT eth0 PROTO=6 194.159.150.13: 1557 <my_ip_addr>:20 L=562 S=0x00 I=7861 F=0x4000 T=109 Jan 18 16:46:21 gw kernel: Packet log: input REJECT eth0 PROTO=6 194.159.150.13: 1557 <my_ip_addr>:20 L=562 S=0x00 I=7861 F=0x4000 T=109 Jan 18 16:46:31 gw kernel: Packet log: input REJECT eth0 PROTO=6 194.159.150.13: 4097 <my_ip_addr>:80 L=562 S=0x00 I=26293 F=0x4000 T=109 Jan 18 16:46:31 gw kernel: Packet log: input REJECT eth0 PROTO=6 194.159.150.13: 4097 <my_ip_addr>:80 L=562 S=0x00 I=26293 F=0x4000 T=109 Jan 18 16:47:11 gw kernel: Packet log: input REJECT eth0 PROTO=6 194.159.150.13: 57514 <my_ip_addr>:80 L=562 S=0x00 I=2486 F=0x4000 T=109 Jan 18 16:56:26 gw kernel: Packet log: input REJECT eth0 PROTO=6 194.159.150.13: 2951 <my_ip_addr>:25 L=562 S=0x00 I=65223 F=0x4000 T=109 Jan 18 16:56:26 gw kernel: Packet log: input REJECT eth0 PROTO=6 194.159.150.13: 2951 <my_ip_addr>:25 L=562 S=0x00 I=65223 F=0x4000 T=109 Jan 18 16:58:05 gw kernel: Packet log: input REJECT eth0 PROTO=6 194.159.150.13: 1333 <my_ip_addr>:80 L=562 S=0x00 I=34508 F=0x4000 T=109 Jan 18 16:58:05 gw kernel: Packet log: input REJECT eth0 PROTO=6 194.159.150.13: 1333 <my_ip_addr>:80 L=562 S=0x00 I=34508 F=0x4000 T=109 Jan 18 16:58:11 gw kernel: Packet log: input REJECT eth0 PROTO=6 194.159.150.13: 1255 <my_ip_addr>:443 L=562 S=0x00 I=52428 F=0x4000 T=109 Jan 18 16:58:11 gw kernel: Packet log: input REJECT eth0 PROTO=6 194.159.150.13: 1255 <my_ip_addr>:443 L=562 S=0x00 I=52428 F=0x4000 T=109 Jan 18 16:58:27 gw kernel: Packet log: input REJECT eth0 PROTO=6 194.159.150.13: 2773 <my_ip_addr>:80 L=562 S=0x00 I=46029 F=0x4000 T=109 Jan 18 16:58:27 gw kernel: Packet log: input REJECT eth0 PROTO=6 194.159.150.13: 2773 <my_ip_addr>:80 L=562 S=0x00 I=46029 F=0x4000 T=109 Jan 18 16:58:45 gw kernel: Packet log: input REJECT eth0 PROTO=6 194.159.150.13: 22 <my_ip_addr>:1023 L=562 S=0x00 I=50382 F=0x4000 T=109 Jan 18 16:58:45 gw kernel: Packet log: input REJECT eth0 PROTO=6 194.159.150.13: 22 <my_ip_addr>:1023 L=562 S=0x00 I=50382 F=0x4000 T=109 Jan 18 16:59:19 gw kernel: Packet log: input REJECT eth0 PROTO=6 194.159.150.13: 1506 <my_ip_addr>:80 L=562 S=0x00 I=52944 F=0x4000 T=109 Jan 18 16:59:19 gw kernel: Packet log: input REJECT eth0 PROTO=6 194.159.150.13: 1506 <my_ip_addr>:80 L=562 S=0x00 I=52944 F=0x4000 T=109 There is no service running on my firewall (only ssh to inside interface), but the probe is only made to specific ports... Regards, Duarte Duarte M. Cordeiro Internetworking & Comm. Security mailto:Duarte.Cordeiro () arvore pt Project Manager Arvore - Tecnologias de Informacao Tel: +351 213193000 Av. Miguel Bombarda, 1 - 3 Dto. Fax: +351 213541676 1000 Lisboa - Portugal http://www.arvore.pt
Current thread:
- Re: IRC-bots: what are they for ?, (continued)
- Re: IRC-bots: what are they for ? Ninja Information Systems. (Jan 12)
- Re: IRC-bots: what are they for ? Jens Hjalmarsson (Jan 12)
- Re: IRC-bots: what are they for ? tyler (Jan 12)
- Re: IRC-bots: what are they for ? David Brumley (Jan 12)
- Re: IRC-bots: what are they for ? The Undernet Bonk (Jan 12)
- Re: IRC-bots: what are they for ? Filip M. Gieszczykiewicz (Jan 12)
- Strange behaviour Belgarion of Riva (Jan 13)
- Re: Strange behaviour Richard Bejtlich (Jan 15)
- UDP probing [ trojan? ] mabrown () SECUREPIPE COM (Jan 17)
- Re: UDP probing [ trojan? ] Jose Nazario (Jan 18)
- Probe from UK Provider ? Duarte Cordeiro (Jan 18)
- Re: Probe from UK Provider ? Pauline van Winsen (Jan 19)
- Re: Probe from UK Provider ? Arrigo Triulzi (Jan 20)
- Re: Probe from UK Provider ? Gene Harris (Jan 20)
- Re: Probe from UK Provider ? Jason Witty (Jan 20)
- Solaris BSM Audit Logs Wozz (Jan 17)
- Re: Strange behaviour John Turner (Jan 17)
- SMTP bombing Kaupo Palo (Jan 18)
- Log tools? Chad Day (Jan 17)
- Re: Log tools? James Phillips (Jan 17)
- Re: Log tools? Gene Harris (Jan 18)