Security Incidents mailing list archives
Re: web related oddity
From: poptix () HYDROGEN POPTIX NET (Matthew S. Hallacy)
Date: Wed, 8 Mar 2000 05:11:10 -0600
Hello, This morning while browsing through syslog I noticed this: Logs are CST Mar 8 03:06:04 venus PAM_pwdb[26675]: check pass; user unknown Mar 8 03:06:04 venus PAM_pwdb[26676]: check pass; user unknown Mar 8 03:06:20 venus ftpd: 212.188.142.27: connected: IDLE [531 spaces] [26675]: FTP session closed Mar 8 03:06:20 venus ftpd: 212.188.142.27: connected: IDLE [531 spaces] [26676]: FTP session closed Mar 8 03:06:20 venus ftpd: 212.188.142.27: connected: IDLE [531 spaces] [26675]: FTP session closed Mar 8 03:06:20 venus ftpd: 212.188.142.27: connected: IDLE [531 spaces] [26675]: FTP session closed Mar 8 03:06:20 venus ftpd: 212.188.142.27: connected: IDLE [531 spaces] [26676]: FTP session closed Mar 8 03:06:20 venus ftpd: 212.188.142.27: connected: IDLE [531 spaces] [26676]: FTP session closed ipchains logs from one of the other machines: Packet log: input ACCEPT eth0 PROTO=6 212.188.142.27:3980 209.32.247.241:21 L=48 S=0x00 I=54697 F=0x4000 T=115 SYN (#14) Packet log: input ACCEPT eth0 PROTO=6 212.188.142.27:3980 209.32.247.241:21 L=40 S=0x00 I=57001 F=0x4000 T=115 (#14) Packet log: input ACCEPT eth0 PROTO=6 212.188.142.27:3980 209.32.247.241:21 L=74 S=0x00 I=8618 F=0x4000 T=115 (#14) Packet log: input ACCEPT eth0 PROTO=6 212.188.142.27:3980 209.32.247.241:21 L=58 S=0x00 I=11178 F=0x4000 T=115 (#14) Version wu-2.6.0(1) Thu Oct 21 12:27:00 EDT 1999 I recieved the same exact scan on 2 other machines, firewall logs show that only port 21 was attempted, there was no other traffic from this host and this was the only /24 that was scanned. (that we own) Just curious if anyone else had been scanned for something similar, I can reproduce this by having a failed login, then sending IDLE [ton of spaces] <cr> A curiosity about this, is that depending on how many spaces you send, can determine how many times it sends: 530 Please login with USER and PASS. inetnum: 212.188.128.0 - 212.188.159.255 netname: SCREAMING-NET descr: Screaming Free ISP descr: Froglike ISP, used for Netlink dial customers descr: London descr: abuse / hacking reports to abuse () localtel co uk
Current thread:
- Re: web related oddity Oliver Friedrichs (Feb 29)
- <Possible follow-ups>
- Re: web related oddity Richard Bejtlich (Mar 04)
- Port 33434 and decoy-scanning Jan Roger Wilkens (Mar 08)
- Re: Port 33434 and decoy-scanning Pete Clements (Mar 08)
- Re: Port 33434 and decoy-scanning Ryan Russell (Mar 09)
- Port 33434 and decoy-scanning Jan Roger Wilkens (Mar 08)
- Re: web related oddity Ryan Russell (Mar 08)
- Re: web related oddity Christopher L. Morrow (Mar 08)
- Re: web related oddity Donald McLachlan (Mar 07)
- Re: web related oddity Matthew S. Hallacy (Mar 08)
- Re: web related oddity Bill Pennington (Mar 08)
- ftp scan (was Re: web related oddity) Matthew S. Hallacy (Mar 08)
- Re: web related oddity Matthew S. Hallacy (Mar 08)