Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Recon from Pakistan

From: JNelson () CMCCONTROLS COM (CL: Nelson, Jeff)
Date: Tue, 29 Feb 2000 15:14:51 -0500

Good afternoon all,

I was going through yesterday's logs and found we had been scanned via
sunrpc from some individual in Pakistan. Here is a sample of the log:

Feb 28 15:58:51 [1.1.1.1] 4400915: %SEC-6-IPACCESSLOGP: list 110 permitted
tcp 63.70.25.75(2666) -> 1.1.1.9(111), 1 packet
Feb 28 16:02:40 [1.1.1.1] 4401657: %SEC-6-IPACCESSLOGP: list 110 permitted
tcp 63.70.25.75(2666) -> 1.1.1.19(111), 1 packet
Feb 28 16:04:34 [5.5.5.243] %PIX-2-106001: Inbound TCP connection denied
from 63.70.25.75/2666 to 5.5.5.151/111 flags SYN
Feb 28 16:04:35 [1.1.1.1] 4401766: %SEC-6-IPACCESSLOGP: list 110 permitted
tcp 63.70.25.75(2666) -> 1.1.1.24(111), 1 packet
Feb 28 16:04:35 [1.1.1.1] 4401768: %SEC-6-IPACCESSLOGP: list 110 permitted
tcp 1.1.1.24(111) -> 63.70.25.75(2666), 1 packet
Feb 28 16:06:06 [5.5.5.243] %PIX-2-106001: Inbound TCP connection denied
from 63.70.25.75/2666 to 5.5.5.75/111 flags SYN
Feb 28 16:06:07 [1.1.1.1] 4401850: %SEC-6-IPACCESSLOGP: list 110 permitted
tcp 63.70.25.75(2666) -> 1.1.1.28(111), 1 packet
Feb 28 16:06:07 [1.1.1.1] 4401852: %SEC-6-IPACCESSLOGP: list 110 permitted
tcp 1.1.1.28(111) -> 63.70.25.75(2666), 1 packet
Feb 28 16:11:25 [5.5.5.243] %PIX-7-106011: Deny self route tcp src
outside:63.70.25.75/2666 dst outside:1.1.1.42/111
Feb 28 16:11:26 [1.1.1.1] 4402156: %SEC-6-IPACCESSLOGP: list 110 permitted
tcp 63.70.25.75(2666) -> 1.1.1.42(111), 1 packet
Feb 28 16:11:48 [5.5.5.243] %PIX-7-106011: Deny self route tcp src
outside:63.70.25.75/2666 dst outside:1.1.1.43/111
Feb 28 16:11:49 [1.1.1.1] 4402188: %SEC-6-IPACCESSLOGP: list 110 permitted
tcp 63.70.25.75(2666) -> 1.1.1.43(111), 1 packet
Feb 28 16:38:00 [5.5.5.243] %PIX-2-106001: Inbound TCP connection denied
from 63.70.25.75/2666 to 5.5.5.219/111 flags SYN

The 1.1.1 addresses are our external, the 5.5.5 are our internal. My
question is this. What is he doing to discover my internal ip addresses? We
are doing NAT, so the external responses are from open/active tcp sessions,
or so I am assuming. What app is he using to do this?

Cheers,

Jeff


<<<<<<<<<<<<<<<<<<<<<<<<<<

Jeffrey L. Nelson        | Cleveland Motion Controls
Network Manager          | 7550 Hub Parkway
                         | Cleveland, Ohio 44125
jnelson () cmccontrols com  | 216-642-5147

<<<<<<<<<<<<<<<<<<<<<<<<<<
Previous By Date Next
Previous By Thread Next

Current thread: