Security Incidents mailing list archives

First china, now russia?

From: jgeyer () POSTALINNOVATIONS COM (Joseph Geyer)
Date: Sun, 30 Jan 2000 15:13:32 -0500


I've been getting scanned quite frequently from china (I basically have the entire country blackholed now).  Now they 
are coming from russia.  The curious thing is, they are using very interesting destination ports.  Here take a look:

Jan 29 08:46:20 defiant kernel: Packet log: input DENY eth0 PROTO=6 212.57.148.66:1569 x.x.x.x:79 L=48 S=0x00 I=25037 
F=0x4000 T=112 SYN (#20)
Jan 29 08:46:20 defiant kernel: Packet log: input DENY eth0 PROTO=6 212.57.148.66:1570 x.x.x.x:109 L=48 S=0x00 I=25046 
F=0x4000 T=112 SYN (#20)
Jan 29 08:46:21 defiant kernel: Packet log: input DENY eth0 PROTO=6 212.57.148.66:1573 x.x.x.x:118 L=48 S=0x00 I=25062 
F=0x4000 T=112 SYN (#20)
Jan 29 08:46:21 defiant kernel: Packet log: input DENY eth0 PROTO=6 212.57.148.66:1574 x.x.x.x:139 L=48 S=0x00 I=25063 
F=0x4000 T=112 SYN (#20)
Jan 29 08:46:21 defiant kernel: Packet log: input DENY eth0 PROTO=6 212.57.148.66:1575 x.x.x.x:143 L=48 S=0x00 I=25064 
F=0x4000 T=112 SYN (#20)
Jan 29 08:46:21 defiant kernel: Packet log: input DENY eth0 PROTO=6 212.57.148.66:1576 x.x.x.x:224 L=48 S=0x00 I=25065 
F=0x4000 T=112 SYN (#20)
Jan 29 08:46:21 defiant kernel: Packet log: input DENY eth0 PROTO=6 212.57.148.66:1577 x.x.x.x:515 L=48 S=0x00 I=25066 
F=0x4000 T=112 SYN (#20)
Jan 29 08:46:23 defiant kernel: Packet log: input DENY eth0 PROTO=6 212.57.148.66:1569 x.x.x.x:79 L=48 S=0x00 I=25179 
F=0x4000 T=112 SYN (#20)
Jan 29 08:46:23 defiant kernel: Packet log: input DENY eth0 PROTO=6 212.57.148.66:1570 x.x.x.x:109 L=48 S=0x00 I=25180 
F=0x4000 T=112 SYN (#20)
Jan 29 08:46:24 defiant kernel: Packet log: input DENY eth0 PROTO=6 212.57.148.66:1576 x.x.x.x:224 L=48 S=0x00 I=25195 
F=0x4000 T=112 SYN (#20)
Jan 29 08:46:24 defiant kernel: Packet log: input DENY eth0 PROTO=6 212.57.148.66:1573 x.x.x.x:118 L=48 S=0x00 I=25196 
F=0x4000 T=112 SYN (#20)
Jan 29 08:46:24 defiant kernel: Packet log: input DENY eth0 PROTO=6 212.57.148.66:1577 x.x.x.x:515 L=48 S=0x00 I=25197 
F=0x4000 T=112 SYN (#20)
Jan 29 08:46:24 defiant kernel: Packet log: input DENY eth0 PROTO=6 212.57.148.66:1574 x.x.x.x:139 L=48 S=0x00 I=25198 
F=0x4000 T=112 SYN (#20)
Jan 29 08:46:24 defiant kernel: Packet log: input DENY eth0 PROTO=6 212.57.148.66:1575 x.x.x.x:143 L=48 S=0x00 I=25199 
F=0x4000 T=112 SYN (#20)

I understand what some of these ports could have listening on them, but I haven't seen anything that would run on ports 
515,118,224, or 109.  Anyone have a clue what this idiot could be looking for?  I know port 109 is POP2, but who still 
uses pop2??  I also know that 515 is commonly used for the printer and I could see a potential for a problem there.  
But 118 and 224 still have me baffled.

-Joe

<HR NOSHADE>
<UL>
<LI>application/x-pkcs7-signature attachment: smime.p7s
</UL>

Current thread:

Re: port 768 Guido A.J. Stevens (Jan 28)
- Re: port 768 Richard Johnson (Jan 28)
- Re: port 768 Dave Dittrich (Jan 28)
- Re: port 768 Robert Graham (Jan 28)
- First china, now russia? Joseph Geyer (Jan 30)
- Re: port 768 Eric Preston (Jan 30)
- <Possible follow-ups>
- Re: port 768 Guido A.J. Stevens (Jan 28)