Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Strange trafic to port 119

From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Mon, 13 Nov 2000 09:52:52 -0500
On Sun, 12 Nov 2000 13:17:28 CST, Omar Herrera <oherrera () PRODIGY NET MX>  said:

Let me inject a *possible* alternate interpretation.  You should of course
apply Occam's Razor and any other available information.  I'm listing
it mostly because I've actually seen something similar....


IP adresses are asigned dynamically by my ISP and packets are not
directed to any broadcast address so, as far as I know, they are
targeting me directly.


You might want to consider the possibility that the probes are intended
for the *previous* owner of that IP address.  The previous guy comes on,
launches his private NNTP server, sends mail to his eleet buddies saying
where it is now, and they start pounding on it.  His connection drops,
you get the IP address, and his eleet buddies keep trying for a while
wondering why the server isn't answering.

Could also be the guy announced the address with a typo in it. ;)


As you can see, 2 of these sources show more than any:
148.246.45.107
62.42.0.213



148.246.45.107 seems to be (with a high probability) a Win 2000 machine
62.42.0.213 might be an Aix2.4 (probably inacurate)


AIX 2.4 never existed.  Probably should be AIX 4.2 (which is outdated,
unsupported, and quite possibly easily hackable).


I ran nmap on these two but I can't find any relation to each other. I
also checked for any strange parameters con the packets but couldn't
find anything, here is a sample:


Again, if those 2 addresses are dialups, you run the risk of nmap'ing the
next machine that happens to get the address (unless you're nmap'ing during
or RIGHT after the incident).


At 12:38 nntp packets stopped but snort started to alert me of several
nmap probes to my machine, source adresses are random and too many so I


At 12:38, one of the eleet friends finally clues in that they're pounding
the wrong machine. ;)
-- 
                                Valdis Kletnieks
                                Operating Systems Analyst
                                Virginia Tech

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: