Security Incidents mailing list archives
Re: Netbus portscan ( port 12345)
From: kraziej () TA2 SO-NET NE JP (James T. Perry)
Date: Fri, 23 Jun 2000 01:26:20 +0900
DATE : June 23rd, 2000 FROM : James T. Perry mailto:kraziej () ta2 so-net ne jp !---------!---------!---------!---------!---------!---------!---------! Hi, I'm a newbie to the sf lists (btw very educative, thanks to all) and semi-newbie in *nix admin/security. (I apologize if I'm doing something wrong with my posting) Just for the sake of scanning issue, below is a snippet from the syslog that logcheck barfed out at me while I was admin-ing a linux box (for a friend), and thanks to ip-chains with the -l option, a net-bus scan got logged. Whats interesting is the sweep (so it seems) of my friends block of ip-addrs (nothing new, I guess...). -- <hostname> and www.xx.yy.z are substituted names and numbers, but after the last z, I kept the digit so you can see that it was an actual sweep. ciao, j -- no, i'm not kibo, though my inherited name sounds similiar... btw, if someone can create a search engine for my room, I will call them a Saint :P Security Violations =-=-=-=-=-=-=-=-=-= Jun 20 19:41:50 <hostname> kernel: Packet log: input DENY eth1 PROTO=6 210.216.111.81:3631 www.xx.yy.z4:12345 L=48 S=0x00 I=18753 F=0x4000 T=111 SYN (#22) Jun 20 19:41:53 <hostname> kernel: Packet log: input DENY eth1 PROTO=6 210.216.111.81:3631 www.xx.yy.z4:12345 L=48 S=0x00 I=19009 F=0x4000 T=111 SYN (#22) Jun 20 19:41:55 <hostname> kernel: Packet log: input DENY eth1 PROTO=6 210.216.111.81:3632 www.xx.yy.z5:12345 L=48 S=0x00 I=19265 F=0x4000 T=111 SYN (#22) Jun 20 19:41:58 <hostname> kernel: Packet log: input DENY eth1 PROTO=6 210.216.111.81:3632 www.xx.yy.z5:12345 L=48 S=0x00 I=19521 F=0x4000 T=111 SYN (#22) Jun 20 19:42:00 <hostname> kernel: Packet log: input DENY eth1 PROTO=6 210.216.111.81:3633 www.xx.yy.z6:12345 L=48 S=0x00 I=19777 F=0x4000 T=111 SYN (#22) Jun 20 19:42:03 <hostname> kernel: Packet log: input DENY eth1 PROTO=6 210.216.111.81:3633 www.xx.yy.z6:12345 L=48 S=0x00 I=20033 F=0x4000 T=111 SYN (#22) Jun 20 19:42:05 <hostname> kernel: Packet log: input DENY eth1 PROTO=6 210.216.111.81:3634 www.xx.yy.z7:12345 L=48 S=0x00 I=20289 F=0x4000 T=111 SYN (#22) Jun 20 19:42:08 <hostname> kernel: Packet log: input DENY eth1 PROTO=6 210.216.111.81:3634 www.xx.yy.z7:12345 L=48 S=0x00 I=20545 F=0x4000 T=111 SYN (#22) Jun 20 19:42:15 <hostname> kernel: Packet log: input DENY eth1 PROTO=6 210.216.111.81:3636 www.xx.yy.z9:12345 L=48 S=0x00 I=21313 F=0x4000 T=111 SYN (#22) Jun 20 19:42:18 <hostname> kernel: Packet log: input DENY eth1 PROTO=6 210.216.111.81:3636 www.xx.yy.z9:12345 L=48 S=0x00 I=21569 F=0x4000 T=111 SYN (#22) Security Violations =-=-=-=-=-=-=-=-=-= Jun 21 01:21:29 <hostname> kernel: Packet log: input DENY eth1 PROTO=6 216.206.93.77:2478 www.xx.yy.z4:12345 L=48 S=0x00 I=38451 F=0x4000 T=110 SYN (#22) Jun 21 01:21:32 <hostname> kernel: Packet log: input DENY eth1 PROTO=6 216.206.93.77:2478 www.xx.yy.z4:12345 L=48 S=0x00 I=39219 F=0x4000 T=110 SYN (#22) Jun 21 01:21:35 <hostname> kernel: Packet log: input DENY eth1 PROTO=6 216.206.93.77:2479 www.xx.yy.z5:12345 L=48 S=0x00 I=39731 F=0x4000 T=110 SYN (#22) Jun 21 01:21:37 <hostname> kernel: Packet log: input DENY eth1 PROTO=6 216.206.93.77:2479 www.xx.yy.z5:12345 L=48 S=0x00 I=40499 F=0x4000 T=110 SYN (#22) Jun 21 01:21:40 <hostname> kernel: Packet log: input DENY eth1 PROTO=6 216.206.93.77:2480 www.xx.yy.z6:12345 L=48 S=0x00 I=41267 F=0x4000 T=110 SYN (#22) Jun 21 01:21:43 <hostname> kernel: Packet log: input DENY eth1 PROTO=6 216.206.93.77:2480 www.xx.yy.z6:12345 L=48 S=0x00 I=41523 F=0x4000 T=110 SYN (#22) Jun 21 01:21:45 <hostname> kernel: Packet log: input DENY eth1 PROTO=6 216.206.93.77:2481 www.xx.yy.z7:12345 L=48 S=0x00 I=42291 F=0x4000 T=110 SYN (#22) Jun 21 01:21:48 <hostname> kernel: Packet log: input DENY eth1 PROTO=6 216.206.93.77:2481 www.xx.yy.z7:12345 L=48 S=0x00 I=43059 F=0x4000 T=110 SYN (#22) Jun 21 01:21:55 <hostname> kernel: Packet log: input DENY eth1 PROTO=6 216.206.93.77:2483 www.xx.yy.z9:12345 L=48 S=0x00 I=44595 F=0x4000 T=110 SYN (#22) Jun 21 01:21:58 <hostname> kernel: Packet log: input DENY eth1 PROTO=6 216.206.93.77:2483 www.xx.yy.z9:12345 L=48 S=0x00 I=45107 F=0x4000 T=110 SYN (#22) !---------!---------!---------!---------!---------!---------!---------! -- catch one lately? :)
Current thread:
- Which DoS ? [Updated] Eric LeBlanc (Jun 15)
- Re: Which DoS ? [Updated] Patrick Oonk (Jun 16)
- Re: Which DoS ? [Updated] Pluto (Jun 20)
- Re: Which DoS ? [Updated] Ian Eure (Jun 21)
- Netbus portscan ( port 12345) lmonin () METACONCEPT COM (Jun 21)
- Re: Netbus portscan ( port 12345) James T. Perry (Jun 22)
- scanned - strange! Sir Scriptzalot (Jun 21)
- (forw) Jennifer Granick Audio Interview now online Elias Levy (Jun 21)
- Connections to port 635 ?? Gunther Stammwitz (Jun 21)
- Connections to port 635 ?? Klaus Moeller (Jun 23)
- Re: Connections to port 635 ?? Bill (Jun 23)
- stranger ftp kill Max Gribov (Jun 23)
- Re: stranger ftp kill frank () STUDENT2 RUG AC BE (Jun 23)
- Re: stranger ftp kill jose (Jun 26)
- Re: Connections to port 635 ?? Ben Laws (Jun 23)
- Re: Connections to port 635 ?? Robert Graham (Jun 23)