Security Incidents mailing list archives
Two scans (Klogin and a trojan?)
From: jose () BIOCSERVER BIOC CWRU EDU (Jose Nazario)
Date: Sun, 21 May 2000 13:13:29 -0400
Hi all, [All local hostname munged, all source IPs and names are what was recorded.] I wanted to report on two quick scans I caught this weekend. Coming back from a vacation to find some suspicious log entries sucks, but hey, life would be boring without it. The first is in regards to the recent Kerberos vulnerabilities (see the CERT advisory), someone probing for Klogin ports: May 19 05:27:16 server kernel: TCP connection rejected from 194.252.152.4, port 543 Now, this is rather worrysome: Name: ns2.keminmaa.fi Address: 194.252.152.4 It is named as nameserver (ns2) and, sure enough, responds as one. I hope it's not a rooted BIND8 server, but they'd be in good company if it is. The second appears to be a trojan scan, but I could find nothing associated with that port (any ideas?): May 20 06:04:45 server kernel: TCP connection rejected from 210.55.227.64, port 27374 Looks like a customer having fun or a compromised box: Name: pp2-64.world-net.co.nz Address: 210.55.227.64 All times are in CDT (GMT-4) with the clock running fast by about 10 minutes. See y'all around, jose nazario jose () biochemistry cwru edu PGP fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
Current thread:
- Unidentified Trojan? Richard Ginski (May 18)
- Unidentified Trojan? -- Hope this helps James Wilson (May 19)
- price.doc.exe illu5i0n () HUSHMAIL COM (May 19)
- Re: price.doc.exe barry.net (May 22)
- Portscan X.Y.Z.100 - X.Y.Z.254, various ports Jens Hektor (May 20)
- Two scans (Klogin and a trojan?) Jose Nazario (May 21)
- Know Your Enemy: A Forensics Analysis Lance Spitzner (May 21)
- <Possible follow-ups>
- Re: Unidentified Trojan? Elliot Perrin (May 18)
- Re: Unidentified Trojan? Bill Royds (May 18)
- Unidentified Trojan? Richard Ginski (May 19)