Security Incidents mailing list archives
Recon from Pakistan
From: JNelson () CMCCONTROLS COM (CL: Nelson, Jeff)
Date: Tue, 29 Feb 2000 15:14:51 -0500
Good afternoon all, I was going through yesterday's logs and found we had been scanned via sunrpc from some individual in Pakistan. Here is a sample of the log: Feb 28 15:58:51 [1.1.1.1] 4400915: %SEC-6-IPACCESSLOGP: list 110 permitted tcp 63.70.25.75(2666) -> 1.1.1.9(111), 1 packet Feb 28 16:02:40 [1.1.1.1] 4401657: %SEC-6-IPACCESSLOGP: list 110 permitted tcp 63.70.25.75(2666) -> 1.1.1.19(111), 1 packet Feb 28 16:04:34 [5.5.5.243] %PIX-2-106001: Inbound TCP connection denied from 63.70.25.75/2666 to 5.5.5.151/111 flags SYN Feb 28 16:04:35 [1.1.1.1] 4401766: %SEC-6-IPACCESSLOGP: list 110 permitted tcp 63.70.25.75(2666) -> 1.1.1.24(111), 1 packet Feb 28 16:04:35 [1.1.1.1] 4401768: %SEC-6-IPACCESSLOGP: list 110 permitted tcp 1.1.1.24(111) -> 63.70.25.75(2666), 1 packet Feb 28 16:06:06 [5.5.5.243] %PIX-2-106001: Inbound TCP connection denied from 63.70.25.75/2666 to 5.5.5.75/111 flags SYN Feb 28 16:06:07 [1.1.1.1] 4401850: %SEC-6-IPACCESSLOGP: list 110 permitted tcp 63.70.25.75(2666) -> 1.1.1.28(111), 1 packet Feb 28 16:06:07 [1.1.1.1] 4401852: %SEC-6-IPACCESSLOGP: list 110 permitted tcp 1.1.1.28(111) -> 63.70.25.75(2666), 1 packet Feb 28 16:11:25 [5.5.5.243] %PIX-7-106011: Deny self route tcp src outside:63.70.25.75/2666 dst outside:1.1.1.42/111 Feb 28 16:11:26 [1.1.1.1] 4402156: %SEC-6-IPACCESSLOGP: list 110 permitted tcp 63.70.25.75(2666) -> 1.1.1.42(111), 1 packet Feb 28 16:11:48 [5.5.5.243] %PIX-7-106011: Deny self route tcp src outside:63.70.25.75/2666 dst outside:1.1.1.43/111 Feb 28 16:11:49 [1.1.1.1] 4402188: %SEC-6-IPACCESSLOGP: list 110 permitted tcp 63.70.25.75(2666) -> 1.1.1.43(111), 1 packet Feb 28 16:38:00 [5.5.5.243] %PIX-2-106001: Inbound TCP connection denied from 63.70.25.75/2666 to 5.5.5.219/111 flags SYN The 1.1.1 addresses are our external, the 5.5.5 are our internal. My question is this. What is he doing to discover my internal ip addresses? We are doing NAT, so the external responses are from open/active tcp sessions, or so I am assuming. What app is he using to do this? Cheers, Jeff
<<<<<<<<<<<<<<<<<<<<<<<<<<
Jeffrey L. Nelson | Cleveland Motion Controls Network Manager | 7550 Hub Parkway | Cleveland, Ohio 44125 jnelson () cmccontrols com | 216-642-5147
<<<<<<<<<<<<<<<<<<<<<<<<<<
Current thread:
- Recon from Pakistan CL: Nelson, Jeff (Feb 29)
- <Possible follow-ups>
- Re: Recon from Pakistan CL: Nelson, Jeff (Mar 02)