Strange distributed scan/probe activity

[Rich Puhek <rpuhek () ETNSYSTEMS COM>]

I recently noticed some strange activity in the syslog of one of my
servers. Starting at about 3:50 AM local time, I saw a series of
connections from various points outside my network. The source machine
would make two connections to the FTP port, two to the POP port, and,
most of the time, two to the SMTP port. A few minutes later, the pattern
would repeat, this time from a different machine.

Judging by the slow connection rate, this is not a DDOS attempt. I'm
assuming the choice of using many source machines was made to elude IDS
systems.

Has anyone seen anything similar? I've seen info on DDOS, but nothing on
a concentrated distributed scan like this.

Following is a snippet of the relevant entries from the syslog
(hostnames and IP addresses sanitized). The original source addresses
had various origins. A bunch appeared to originate in Texas, a few from
Canada.

--Rich

Jul 11 03:51:45 myserver in.ftpd[15154]: connect from SOURCE1
Jul 11 03:51:45 myserver in.ftpd[15155]: connect from SOURCE1
Jul 11 03:51:46 myserver in.qpopper[15156]: connect from SOURCE1
Jul 11 03:51:46 myserver in.qpopper[15156]: @SOURCE1: -ERR POP EOF
received
Jul 11 03:51:46 myserver in.qpopper[15157]: connect from SOURCE1
Jul 11 03:51:46 myserver in.qpopper[15157]: @SOURCE1: -ERR POP EOF
received


Jul 11 03:55:41 myserver in.ftpd[15166]: connect from SOURCE2
Jul 11 03:55:41 myserver in.ftpd[15167]: connect from SOURCE2
Jul 11 03:55:41 myserver in.qpopper[15168]: connect from SOURCE2
Jul 11 03:55:41 myserver in.qpopper[15168]: @SOURCE2: -ERR POP EOF
received
Jul 11 03:55:41 myserver in.qpopper[15169]: connect from SOURCE2
Jul 11 03:55:41 myserver in.qpopper[15169]: @SOURCE2: -ERR POP EOF
received

Jul 11 03:58:20 myserver in.ftpd[15174]: connect from SOURCE3
Jul 11 03:58:20 myserver in.ftpd[15175]: connect from SOURCE3
Jul 11 03:58:20 myserver in.qpopper[15176]: connect from SOURCE3
Jul 11 03:58:20 myserver in.qpopper[15176]: @SOURCE3: -ERR POP EOF
received
Jul 11 03:58:20 myserver in.qpopper[15177]: connect from SOURCE3
Jul 11 03:58:20 myserver in.qpopper[15177]: @SOURCE3: -ERR POP EOF
received

Jul 11 04:01:07 myserver in.ftpd[15187]: connect from SOURCE4
Jul 11 04:01:07 myserver in.ftpd[15188]: connect from SOURCE4
Jul 11 04:01:07 myserver in.qpopper[15189]: connect from SOURCE4
Jul 11 04:01:07 myserver in.qpopper[15189]: @SOURCE4: -ERR POP EOF
received
Jul 11 04:01:08 myserver in.qpopper[15190]: connect from SOURCE4
Jul 11 04:01:08 myserver in.qpopper[15190]: @SOURCE4: -ERR POP EOF
received

Jul 11 04:01:35 myserver in.qpopper[15191]: connect from xxx.yyy.zzz.48
Jul 11 04:01:35 myserver in.qpopper[15191]: (v2.3) Unable to get
canonical name of client, err = 2


Jul 11 04:03:52 myserver in.ftpd[15195]: connect from SOURCE5
Jul 11 04:03:52 myserver in.ftpd[15196]: connect from SOURCE5
Jul 11 04:03:52 myserver in.qpopper[15197]: connect from SOURCE5
Jul 11 04:03:52 myserver in.qpopper[15197]: @SOURCE5: -ERR POP EOF
received
Jul 11 04:03:53 myserver in.qpopper[15198]: connect from SOURCE5
Jul 11 04:03:53 myserver in.qpopper[15198]: @SOURCE5: -ERR POP EOF
received
Jul 11 04:03:54 myserver sendmail[15199]: NOQUEUE: Null connection from
SOURCE5 [www.xxx.yyy.zzz]
Jul 11 04:03:54 myserver sendmail[15200]: NOQUEUE: Null connection from
SOURCE5 [www.xxx.yyy.zzz]


--
__________________________________________________________

Rich Puhek
ETN Systems Inc.
2125 1st Ave East
Hibbing MN 55746

tel:   218.262.1130
email: rpuhek () etnsystems com
_________________________________________________________