Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Port scanning from Iran

From: John Oliver <joliver () CONNECTNET COM>
Date: Tue, 6 Mar 2001 21:51:05 -0800
Mar  6 20:38:02 ns portsentry[3934]: attackalert: Connect from host:
213.176.97.10/213.176.97.10 to TCP port: 79
Mar  6 20:38:02 ns portsentry[3934]: attackalert: Host 213.176.97.10 has
been blocked via dropped route using command: "/sbin/ipchains -I input
-s 213.176.97.10 -j DENY -l"
Mar  6 20:38:02 ns kernel: Packet log: input DENY eth0 PROTO=6
213.176.97.10:3401 207.110.26.18:79 L=40 S=0x00 I=43373 F=0x4000 T=107
(#1)
Mar  6 20:38:02 ns kernel: Packet log: input DENY eth0 PROTO=6
213.176.97.10:3401 207.110.26.18:79 L=40 S=0x00 I=43372 F=0x4000 T=102
(#1)
Mar  6 20:38:04 ns kernel: Packet log: input DENY eth0 PROTO=6
213.176.97.10:3401 207.110.26.18:79 L=42 S=0x00 I=43379 F=0x4000 T=102
(#1)
 Mar  6 20:38:10 ns kernel: Packet log: input DENY eth0 PROTO=6
213.176.97.10:3401 207.110.26.18:79 L=42 S=0x00 I=43404 F=0x4000 T=107
(#1)
Mar  6 20:38:22 ns kernel: Packet log: input DENY eth0 PROTO=6
213.176.97.10:3401 207.110.26.18:79 L=42 S=0x00 I=43499 F=0x4000 T=107
(#1)
Mar  6 20:38:46 ns kernel: Packet log: input DENY eth0 PROTO=6
213.176.97.10:3401 207.110.26.18:79 L=42 S=0x00 I=43663 F=0x4000 T=102
(#1)
Mar  6 20:39:34 ns kernel: Packet log: input DENY eth0 PROTO=6
213.176.97.10:3401 207.110.26.18:79 L=42 S=0x00 I=43886 F=0x4000 T=107
(#1)

This goes on, and on, and on, and on, all sorts of different source and
destination ports... puts the Energizer bunny to shame... :-)  After
getting two portsentry reports in excess of 2MB each, I added an ignore
rule since they ain't getting in anyhoo.  Has anyone else seen activity
from this host?  Contact with the admin(s)?  At first, I thought this
was another rooted box.  But the scans stepped *way* up after I started
reporting, so I'm wondering if it isn't the Iranians themselves... :-)

--
John Oliver, System Administrator        http://www.allegiancetele.com
ConnectNet, an Allegiance Telecom company    http://www.connectnet.com
6370 Lusk Blvd. Ste F103                                (858) 638-2020
San Diego, CA. 92121                               FAX: (858) 623-1505
Previous By Date Next
Previous By Thread Next

Current thread: