Security Incidents mailing list archives
Strange distributed scan/probe activity
From: Rich Puhek <rpuhek () ETNSYSTEMS COM>
Date: Mon, 24 Jul 2000 11:24:16 -0500
I recently noticed some strange activity in the syslog of one of my servers. Starting at about 3:50 AM local time, I saw a series of connections from various points outside my network. The source machine would make two connections to the FTP port, two to the POP port, and, most of the time, two to the SMTP port. A few minutes later, the pattern would repeat, this time from a different machine. Judging by the slow connection rate, this is not a DDOS attempt. I'm assuming the choice of using many source machines was made to elude IDS systems. Has anyone seen anything similar? I've seen info on DDOS, but nothing on a concentrated distributed scan like this. Following is a snippet of the relevant entries from the syslog (hostnames and IP addresses sanitized). The original source addresses had various origins. A bunch appeared to originate in Texas, a few from Canada. --Rich Jul 11 03:51:45 myserver in.ftpd[15154]: connect from SOURCE1 Jul 11 03:51:45 myserver in.ftpd[15155]: connect from SOURCE1 Jul 11 03:51:46 myserver in.qpopper[15156]: connect from SOURCE1 Jul 11 03:51:46 myserver in.qpopper[15156]: @SOURCE1: -ERR POP EOF received Jul 11 03:51:46 myserver in.qpopper[15157]: connect from SOURCE1 Jul 11 03:51:46 myserver in.qpopper[15157]: @SOURCE1: -ERR POP EOF received Jul 11 03:55:41 myserver in.ftpd[15166]: connect from SOURCE2 Jul 11 03:55:41 myserver in.ftpd[15167]: connect from SOURCE2 Jul 11 03:55:41 myserver in.qpopper[15168]: connect from SOURCE2 Jul 11 03:55:41 myserver in.qpopper[15168]: @SOURCE2: -ERR POP EOF received Jul 11 03:55:41 myserver in.qpopper[15169]: connect from SOURCE2 Jul 11 03:55:41 myserver in.qpopper[15169]: @SOURCE2: -ERR POP EOF received Jul 11 03:58:20 myserver in.ftpd[15174]: connect from SOURCE3 Jul 11 03:58:20 myserver in.ftpd[15175]: connect from SOURCE3 Jul 11 03:58:20 myserver in.qpopper[15176]: connect from SOURCE3 Jul 11 03:58:20 myserver in.qpopper[15176]: @SOURCE3: -ERR POP EOF received Jul 11 03:58:20 myserver in.qpopper[15177]: connect from SOURCE3 Jul 11 03:58:20 myserver in.qpopper[15177]: @SOURCE3: -ERR POP EOF received Jul 11 04:01:07 myserver in.ftpd[15187]: connect from SOURCE4 Jul 11 04:01:07 myserver in.ftpd[15188]: connect from SOURCE4 Jul 11 04:01:07 myserver in.qpopper[15189]: connect from SOURCE4 Jul 11 04:01:07 myserver in.qpopper[15189]: @SOURCE4: -ERR POP EOF received Jul 11 04:01:08 myserver in.qpopper[15190]: connect from SOURCE4 Jul 11 04:01:08 myserver in.qpopper[15190]: @SOURCE4: -ERR POP EOF received Jul 11 04:01:35 myserver in.qpopper[15191]: connect from xxx.yyy.zzz.48 Jul 11 04:01:35 myserver in.qpopper[15191]: (v2.3) Unable to get canonical name of client, err = 2 Jul 11 04:03:52 myserver in.ftpd[15195]: connect from SOURCE5 Jul 11 04:03:52 myserver in.ftpd[15196]: connect from SOURCE5 Jul 11 04:03:52 myserver in.qpopper[15197]: connect from SOURCE5 Jul 11 04:03:52 myserver in.qpopper[15197]: @SOURCE5: -ERR POP EOF received Jul 11 04:03:53 myserver in.qpopper[15198]: connect from SOURCE5 Jul 11 04:03:53 myserver in.qpopper[15198]: @SOURCE5: -ERR POP EOF received Jul 11 04:03:54 myserver sendmail[15199]: NOQUEUE: Null connection from SOURCE5 [www.xxx.yyy.zzz] Jul 11 04:03:54 myserver sendmail[15200]: NOQUEUE: Null connection from SOURCE5 [www.xxx.yyy.zzz] -- __________________________________________________________ Rich Puhek ETN Systems Inc. 2125 1st Ave East Hibbing MN 55746 tel: 218.262.1130 email: rpuhek () etnsystems com _________________________________________________________
Current thread:
- Strange distributed scan/probe activity Rich Puhek (Jul 24)
- Re: Strange distributed scan/probe activity Fredrik Ostergren (Jul 26)
- Re: Strange distributed scan/probe activity Rich Puhek (Jul 27)
- Re: Strange distributed scan/probe activity Fredrik Ostergren (Jul 26)