Security Incidents mailing list archives
Re: Odd connection attempts from many addresses
From: James Hoagland <hoagland () SiliconDefense com>
Date: Fri, 25 Jan 2002 09:27:20 -0800
Hello John,Have you looked into whether your host X is advertising a service on the ports in question? A game server or some such.
Also what is the timing between packets from a given host? How about between different host's attempts? Does that vary or is it fairly consistent?
Does a source address repeat itself? If so, is there a pattern in the source ports used? Is there any patterns in the source ports used by the different sources?
Regards, Jim At 6:37 PM +0000 1/19/02, John Bland wrote:
Hi, I've been seeing, over the past week, a constant stream of odd connection attempts to two of my machines. The firewall logs show things like (where A,B,C,D are addresses in quite separate address spaces and X is the local machine): A:1200 X:41000 A:1200 X:41000 A:1200 X:41000 B:1340 X:41001 B:1340 X:41001 B:1340 X:41001 C:2100 X:41002C:2100 X:41002 C:2100 X:41002 D:1130 X:41003 D:1130 X:41003 D:1130 X:41003 (all TCP) ie we're receiving connection attempts from quite varied addresses (all types of uk dialup and adsl, the odd ac.uk and even some .edu) always to the same machine from random high ports to a monotonically increasing destination port. However, the destination port seems a bit of an odd one to be trying to connect to. I 'investigated' some of the connecting machines and what I can tell from those that were on static ips is that they are Windows machines (surprise!) running a whole gamete of services including netbios-ns, ldap and irc-serv as well as dns and http etc etc. And stateless firewalls. Basically, has anyone seen this sort of thing before? And if so what form of exploit is it attempting? It's all bouncing off the firewall atm and is pretty low traffic so I'm not overly concerned, just puzzled. Cheers, JB ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
-- |* Jim Hoagland, Associate Researcher, Silicon Defense *| |* --- Silicon Defense: IDS Solutions --- *| |* hoagland () SiliconDefense com, http://www.silicondefense.com/ *| |* Voice: (530) 756-7317 Fax: (530) 756-7297 *| ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Odd connection attempts from many addresses John Bland (Jan 19)
- Re: Odd connection attempts from many addresses James Hoagland (Jan 25)
- Re: Odd connection attempts from many addresses John Bland (Jan 25)
- Re: Odd connection attempts from many addresses James Hoagland (Jan 25)