Security Incidents mailing list archives
Port scanning from Iran
From: John Oliver <joliver () CONNECTNET COM>
Date: Tue, 6 Mar 2001 21:51:05 -0800
Mar 6 20:38:02 ns portsentry[3934]: attackalert: Connect from host: 213.176.97.10/213.176.97.10 to TCP port: 79 Mar 6 20:38:02 ns portsentry[3934]: attackalert: Host 213.176.97.10 has been blocked via dropped route using command: "/sbin/ipchains -I input -s 213.176.97.10 -j DENY -l" Mar 6 20:38:02 ns kernel: Packet log: input DENY eth0 PROTO=6 213.176.97.10:3401 207.110.26.18:79 L=40 S=0x00 I=43373 F=0x4000 T=107 (#1) Mar 6 20:38:02 ns kernel: Packet log: input DENY eth0 PROTO=6 213.176.97.10:3401 207.110.26.18:79 L=40 S=0x00 I=43372 F=0x4000 T=102 (#1) Mar 6 20:38:04 ns kernel: Packet log: input DENY eth0 PROTO=6 213.176.97.10:3401 207.110.26.18:79 L=42 S=0x00 I=43379 F=0x4000 T=102 (#1) Mar 6 20:38:10 ns kernel: Packet log: input DENY eth0 PROTO=6 213.176.97.10:3401 207.110.26.18:79 L=42 S=0x00 I=43404 F=0x4000 T=107 (#1) Mar 6 20:38:22 ns kernel: Packet log: input DENY eth0 PROTO=6 213.176.97.10:3401 207.110.26.18:79 L=42 S=0x00 I=43499 F=0x4000 T=107 (#1) Mar 6 20:38:46 ns kernel: Packet log: input DENY eth0 PROTO=6 213.176.97.10:3401 207.110.26.18:79 L=42 S=0x00 I=43663 F=0x4000 T=102 (#1) Mar 6 20:39:34 ns kernel: Packet log: input DENY eth0 PROTO=6 213.176.97.10:3401 207.110.26.18:79 L=42 S=0x00 I=43886 F=0x4000 T=107 (#1) This goes on, and on, and on, and on, all sorts of different source and destination ports... puts the Energizer bunny to shame... :-) After getting two portsentry reports in excess of 2MB each, I added an ignore rule since they ain't getting in anyhoo. Has anyone else seen activity from this host? Contact with the admin(s)? At first, I thought this was another rooted box. But the scans stepped *way* up after I started reporting, so I'm wondering if it isn't the Iranians themselves... :-) -- John Oliver, System Administrator http://www.allegiancetele.com ConnectNet, an Allegiance Telecom company http://www.connectnet.com 6370 Lusk Blvd. Ste F103 (858) 638-2020 San Diego, CA. 92121 FAX: (858) 623-1505
Current thread:
- Port scanning from Iran John Oliver (Mar 07)