Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Strange scans against IRC->ICP ports from Yugoslavia???

From: "Ralf G. R. Bergs" <rabe () RWTH-Aachen DE>
Date: Tue, 27 Mar 2001 21:56:47 +0200
Hi there,

by accident I stumbled across the following IMHO very strange scan pattern:

Mar  4 02:24:58 WWW kernel: Packet log: input DENY eth0 PROTO=6
195.66.170.8:6667 111.222.333.87:1112 L=40 S=0x00 I=19127 F=0x0000 T=103 (#54)
Mar  4 02:36:15 WWW kernel: Packet log: input DENY eth0 PROTO=6
195.66.170.8:6667 111.222.333.87:1112 L=40 S=0x00 I=15443 F=0x0000 T=103 (#54)
Mar  4 02:37:13 WWW kernel: Packet log: input DENY eth0 PROTO=6
195.66.170.8:6667 111.222.333.87:1112 L=40 S=0x00 I=4516 F=0x0000 T=103 (#54)
Mar 27 05:08:54 WWW kernel: Packet log: input DENY eth0 PROTO=6
195.66.170.8:6667 111.222.333.113:1112 L=40 S=0x00 I=62877 F=0x0000 T=115 (#
54)
Mar 27 05:35:16 WWW kernel: Packet log: input DENY eth0 PROTO=6
195.66.170.8:6667 111.222.333.113:1112 L=40 S=0x00 I=51299 F=0x0000 T=115 (#
54)
Mar 27 19:48:54 WWW kernel: Packet log: input DENY eth0 PROTO=6
195.66.170.8:6667 111.222.333.113:1112 L=40 S=0x00 I=6255 F=0x0000 T=115 (#54)
Mar 27 19:51:55 WWW kernel: Packet log: input DENY eth0 PROTO=6
62.193.128.9:6667 111.222.333.113:1112 L=40 S=0x00 I=29029 F=0x0000 T=107 (#
54)
Mar 27 19:52:01 WWW kernel: Packet log: input DENY eth0 PROTO=6
62.193.128.9:6667 111.222.333.113:1112 L=40 S=0x00 I=49001 F=0x0000 T=107 (#
54)

Note that my class C is "INVISBLE" from outside because I NAT all packets
going from inside the LAN into the internet, so there's no reason for someone
outside my LAN to send packets to LAN machines (of course I also block packets
going from the internet into the LAN.)

Please also note that the packets come from two different providers, but both
of them are in Yugoslavia. AFAIR it's the first occasion EVER I see blocked
packets from that country. Also note that the last packets have been sent
three weeks after the first packets.

Finally please note the strange source and destination ports. What is "ICP?"

Thanks for your thoughts,

Ralf


--
Sign the EU petition against SPAM:          L I N U X       .~.
http://www.politik-digital.de/spam/        The  Choice      /V\
                                            of a  GNU      /( )\
                                           Generation      ^^-^^
Previous By Date Next
Previous By Thread Next

Current thread: