Security Incidents mailing list archives

Re: Netbus portscan ( port 12345)

From: kraziej () TA2 SO-NET NE JP (James T. Perry)
Date: Fri, 23 Jun 2000 01:26:20 +0900


  DATE : June 23rd, 2000
  FROM : James T. Perry
 mailto:kraziej () ta2 so-net ne jp
!---------!---------!---------!---------!---------!---------!---------!

Hi,

I'm a newbie to the sf lists (btw very educative, thanks to all)
and semi-newbie in *nix admin/security.
(I apologize if I'm doing something wrong with my posting)

Just for the sake of scanning issue, below is a snippet from the
syslog that logcheck barfed out at me while I was admin-ing a linux
box (for a friend), and thanks to ip-chains with the -l option,
a net-bus scan got logged.

Whats interesting is the sweep (so it seems) of my friends block of
ip-addrs (nothing new, I guess...).
  -- <hostname> and www.xx.yy.z are substituted names and numbers,
but after the last z, I kept the digit so you can see that it was
an actual sweep.

ciao,

j

-- no, i'm not kibo, though my inherited name sounds similiar...
   btw, if someone can create a search engine for my room, I
   will call them a Saint :P

Security Violations
=-=-=-=-=-=-=-=-=-=
Jun 20 19:41:50 <hostname> kernel: Packet log: input DENY eth1 PROTO=6
 210.216.111.81:3631 www.xx.yy.z4:12345 L=48 S=0x00 I=18753
 F=0x4000 T=111 SYN (#22)
Jun 20 19:41:53 <hostname> kernel: Packet log: input DENY eth1 PROTO=6
 210.216.111.81:3631 www.xx.yy.z4:12345 L=48 S=0x00 I=19009
 F=0x4000 T=111 SYN (#22)
Jun 20 19:41:55 <hostname> kernel: Packet log: input DENY eth1 PROTO=6
 210.216.111.81:3632 www.xx.yy.z5:12345 L=48 S=0x00 I=19265
 F=0x4000 T=111 SYN (#22)
Jun 20 19:41:58 <hostname> kernel: Packet log: input DENY eth1 PROTO=6
 210.216.111.81:3632 www.xx.yy.z5:12345 L=48 S=0x00 I=19521
 F=0x4000 T=111 SYN (#22)
Jun 20 19:42:00 <hostname> kernel: Packet log: input DENY eth1 PROTO=6
 210.216.111.81:3633 www.xx.yy.z6:12345 L=48 S=0x00 I=19777
 F=0x4000 T=111 SYN (#22)
Jun 20 19:42:03 <hostname> kernel: Packet log: input DENY eth1 PROTO=6
 210.216.111.81:3633 www.xx.yy.z6:12345 L=48 S=0x00 I=20033
 F=0x4000 T=111 SYN (#22)
Jun 20 19:42:05 <hostname> kernel: Packet log: input DENY eth1 PROTO=6
 210.216.111.81:3634 www.xx.yy.z7:12345 L=48 S=0x00 I=20289
 F=0x4000 T=111 SYN (#22)
Jun 20 19:42:08 <hostname> kernel: Packet log: input DENY eth1 PROTO=6
 210.216.111.81:3634 www.xx.yy.z7:12345 L=48 S=0x00 I=20545
 F=0x4000 T=111 SYN (#22)
Jun 20 19:42:15 <hostname> kernel: Packet log: input DENY eth1 PROTO=6
 210.216.111.81:3636 www.xx.yy.z9:12345 L=48 S=0x00 I=21313
 F=0x4000 T=111 SYN (#22)
Jun 20 19:42:18 <hostname> kernel: Packet log: input DENY eth1 PROTO=6
 210.216.111.81:3636 www.xx.yy.z9:12345 L=48 S=0x00 I=21569
 F=0x4000 T=111 SYN (#22)

Security Violations
=-=-=-=-=-=-=-=-=-=
Jun 21 01:21:29 <hostname> kernel: Packet log: input DENY eth1 PROTO=6
 216.206.93.77:2478 www.xx.yy.z4:12345 L=48 S=0x00 I=38451
 F=0x4000 T=110 SYN (#22)
Jun 21 01:21:32 <hostname> kernel: Packet log: input DENY eth1 PROTO=6
 216.206.93.77:2478 www.xx.yy.z4:12345 L=48 S=0x00 I=39219
 F=0x4000 T=110 SYN (#22)
Jun 21 01:21:35 <hostname> kernel: Packet log: input DENY eth1 PROTO=6
 216.206.93.77:2479 www.xx.yy.z5:12345 L=48 S=0x00 I=39731
 F=0x4000 T=110 SYN (#22)
Jun 21 01:21:37 <hostname> kernel: Packet log: input DENY eth1 PROTO=6
 216.206.93.77:2479 www.xx.yy.z5:12345 L=48 S=0x00 I=40499
 F=0x4000 T=110 SYN (#22)
Jun 21 01:21:40 <hostname> kernel: Packet log: input DENY eth1 PROTO=6
 216.206.93.77:2480 www.xx.yy.z6:12345 L=48 S=0x00 I=41267
 F=0x4000 T=110 SYN (#22)
Jun 21 01:21:43 <hostname> kernel: Packet log: input DENY eth1 PROTO=6
 216.206.93.77:2480 www.xx.yy.z6:12345 L=48 S=0x00 I=41523
 F=0x4000 T=110 SYN (#22)
Jun 21 01:21:45 <hostname> kernel: Packet log: input DENY eth1 PROTO=6
 216.206.93.77:2481 www.xx.yy.z7:12345 L=48 S=0x00 I=42291
 F=0x4000 T=110 SYN (#22)
Jun 21 01:21:48 <hostname> kernel: Packet log: input DENY eth1 PROTO=6
 216.206.93.77:2481 www.xx.yy.z7:12345 L=48 S=0x00 I=43059
 F=0x4000 T=110 SYN (#22)
Jun 21 01:21:55 <hostname> kernel: Packet log: input DENY eth1 PROTO=6
 216.206.93.77:2483 www.xx.yy.z9:12345 L=48 S=0x00 I=44595
 F=0x4000 T=110 SYN (#22)
Jun 21 01:21:58 <hostname> kernel: Packet log: input DENY eth1 PROTO=6
 216.206.93.77:2483 www.xx.yy.z9:12345 L=48 S=0x00 I=45107
 F=0x4000 T=110 SYN (#22)

!---------!---------!---------!---------!---------!---------!---------!
-- catch one lately? :)

Current thread:

Which DoS ? [Updated] Eric LeBlanc (Jun 15)
- Re: Which DoS ? [Updated] Patrick Oonk (Jun 16)
- Re: Which DoS ? [Updated] Pluto (Jun 20)
  - Re: Which DoS ? [Updated] Ian Eure (Jun 21)
- Netbus portscan ( port 12345) lmonin () METACONCEPT COM (Jun 21)
  - Re: Netbus portscan ( port 12345) James T. Perry (Jun 22)
- scanned - strange! Sir Scriptzalot (Jun 21)
- (forw) Jennifer Granick Audio Interview now online Elias Levy (Jun 21)
- Connections to port 635 ?? Gunther Stammwitz (Jun 21)
  - Connections to port 635 ?? Klaus Moeller (Jun 23)
  - Re: Connections to port 635 ?? Bill (Jun 23)
  - stranger ftp kill Max Gribov (Jun 23)
    - Re: stranger ftp kill frank () STUDENT2 RUG AC BE (Jun 23)
    - Re: stranger ftp kill jose (Jun 26)
  - Re: Connections to port 635 ?? Ben Laws (Jun 23)
  - Re: Connections to port 635 ?? Robert Graham (Jun 23)

(Thread continues...)