Security Incidents mailing list archives

Re: Odd connection attempts from many addresses

From: James Hoagland <hoagland () SiliconDefense com>
Date: Fri, 25 Jan 2002 09:27:20 -0800

Hello John,

Have you looked into whether your host X is advertising a service onthe ports in question? A game server or some such.

Also what is the timing between packets from a given host? How aboutbetween different host's attempts? Does that vary or is it fairlyconsistent?

Does a source address repeat itself? If so, is there a pattern inthe source ports used? Is there any patterns in the source portsused by the different sources?


Regards,

  Jim

At 6:37 PM +0000 1/19/02, John Bland wrote:

Hi,

I've been seeing, over the past week, a constant
stream of odd connection attempts to two of my
machines. The firewall logs show things like
(where A,B,C,D are addresses in quite separate
address spaces and X is the local machine):

A:1200  X:41000
A:1200  X:41000
A:1200  X:41000
B:1340  X:41001
B:1340  X:41001
B:1340  X:41001
C:2100  X:41002C:2100  X:41002
C:2100  X:41002
D:1130  X:41003
D:1130  X:41003
D:1130  X:41003
(all TCP)

ie we're receiving connection attempts from quite
varied addresses (all types of uk dialup and adsl,
the odd ac.uk and even some .edu) always to the
same machine from random high ports to a
monotonically increasing destination port.
However, the destination port seems a bit of an
odd one to be trying to connect to.

I 'investigated' some of the connecting machines
and what I can tell from those that were on static
ips is that they are Windows machines (surprise!)
running a whole gamete of services including
netbios-ns, ldap and irc-serv as well as dns and
http etc etc. And stateless firewalls.

Basically, has anyone seen this sort of thing
before? And if so what form of exploit is it
attempting? It's all bouncing off the firewall atm
and is pretty low traffic so I'm not overly
concerned, just puzzled.

Cheers,
               JB

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



--
|*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
|*            --- Silicon Defense: IDS Solutions ---             *|
|*  hoagland () SiliconDefense com, http://www.silicondefense.com/  *|
|*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.

For more information on this free incident handling, managementand tracking system please see: http://aris.securityfocus.com

Current thread:

Odd connection attempts from many addresses John Bland (Jan 19)
- Re: Odd connection attempts from many addresses James Hoagland (Jan 25)
  - Re: Odd connection attempts from many addresses John Bland (Jan 25)