Re: Portscanning from 211.42.135.14

[Max Gribov <mgribov () KPLAB COM>]

looks like a sort of a hack attemp, for example, connection to ftpd could
indicate ftp exploit attemt, or a scanning tool used for probing for
exploits, and so on, but by no means take my word for it.
however, i portscanned this machine, and here is what i got:
Starting nmap V. 2.3BETA6 by Fyodor (fyodor () dhp com, www.insecure.org/nmap/)
Interesting ports on  (211.42.135.14):
Port    State       Protocol  Service
21      open        tcp       ftp
23      open        tcp       telnet
25      open        tcp       smtp
53      open        tcp       domain
80      open        tcp       http
110     open        tcp       pop-3
113     open        tcp       auth

later on, i connected to http on that machine, and it turned out to be a
korean machine. considering how many korean boxes were rooted recently, my
best guess would be someone rooted this one, and is using it as a platform
for scans/cracks. i think you should contact site administrator of
211.42.135.14 and tell him/her about this. aq () aq co kr is the email address
i pulled off their website.
have fun reading korean : )

----- Original Message -----
From: Ben Ostrowsky <ostrowb () TBLC ORG>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Monday, August 14, 2000 9:51 AM
Subject: Portscanning from 211.42.135.14


> The following attempts appeared in our syslog recently:
>
> > Aug 12 04:00:25 snoopy sshd[25585]: log: Connection from 211.42.135.14
> > port 1339
> > Aug 12 04:00:25 snoopy sshd[25585]: log: Could not reverse map address
> > 211.42.135.14.
> > Aug 12 04:00:25 snoopy sshd[25585]: fatal: Did not receive ident string.
> > Aug 12 04:00:36 snoopy sshd[25592]: log: Connection from 211.42.135.14
> > port 1349
> > Aug 12 04:00:36 snoopy sshd[25592]: log: Could not reverse map address
> > 211.42.135.14.
> > Aug 12 04:01:48 snoopy ftpd[25598]: lost connection to 211.42.135.14
> > [211.42.135.14]
> > Aug 12 04:01:48 snoopy sshd[25592]: fatal: Did not receive ident string.
> > Aug 12 04:00:19 snoopy imapd[25582]: connect from 211.42.135.14
> > Aug 12 04:00:25 snoopy imapd[25586]: connect from 211.42.135.14
> > Aug 12 04:00:25 snoopy in.ftpd[25588]: connect from 211.42.135.14
> > Aug 12 04:00:27 snoopy in.telnetd[25591]: warning: can't get client
> > address: Connection reset by peer
> > Aug 12 04:01:01 snoopy in.ftpd[25598]: connect from 211.42.135.14
> > Aug 12 04:01:52 snoopy in.telnetd[25711]: warning: can't get client
> > address: Connection reset by peer
> > Aug 12 04:00:21 snoopy imapd[25582]: command stream end of file, while
> > reading line user=??? host=[211.42.135.14]
> > Aug 12 04:00:24 snoopy ipop3d[25583]: Command stream end of file while
> > reading line user=??? host=[211.42.135.14]
> > Aug 12 04:00:25 snoopy imapd[25586]: command stream end of file, while
> > reading line user=??? host=[211.42.135.14]
>
> I tried 'dig -x 211.42.135.14 soa' but got no useful information.  I'm
> curious: does anyone know who just portscanned us?  Does the pattern look
> familiar?
>
> --
> Ben Ostrowsky, Automation Services Technologist
> Tampa Bay Library Consortium - http://www.tblc.org/