Two scans (Klogin and a trojan?)

[jose () BIOCSERVER BIOC CWRU EDU (Jose Nazario)]

Hi all,

[All local hostname munged, all source IPs and names are what was
recorded.]

I wanted to report on two quick scans I caught this weekend. Coming back
from a vacation to find some suspicious log entries sucks, but hey, life
would be boring without it.

The first is in regards to the recent Kerberos vulnerabilities (see the
CERT advisory), someone probing for Klogin ports:

May 19 05:27:16 server kernel: TCP connection rejected from 194.252.152.4,
port 543

Now, this is rather worrysome:

        Name:    ns2.keminmaa.fi
        Address:  194.252.152.4

It is named as nameserver (ns2) and, sure enough, responds as one. I hope
it's not a rooted BIND8 server, but they'd be in good company if it is.

The second appears to be a trojan scan, but I could find nothing
associated with that port (any ideas?):

May 20 06:04:45 server kernel: TCP connection rejected from 210.55.227.64,
port 27374

Looks like a customer having fun or a compromised box:

        Name:    pp2-64.world-net.co.nz
        Address:  210.55.227.64

All times are in CDT (GMT-4) with the clock running fast by about 10
minutes.

See y'all around,

jose nazario                                    jose () biochemistry cwru edu
PGP fingerprint: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc