Security Incidents mailing list archives

Re: large number of probes from 210.97.123.3

From: DLuff () IITSCDM COM AU (Luff, Darryl)
Date: Mon, 1 May 2000 18:24:20 +1000


In the first half of April I had a flurry of mail (smtp/pop3/pop2) traffic
directed to our mail server. We don't allow POP access from the internet at
all. It was mainly from 210.x.x.x addresses (Korea and Taipei the ones I
checked up on). And on the 27th I had another one trying telnet, imap and
pop3 directly to our mail server, also from Taipei (210.208.138.4).

In the last week I've had a lot of scans for telnet, and nbname, but it's
all been from the US and Mexico.

-----Original Message-----
From: Jonathan [SMTP:security () WOAF NET]
Sent: Sunday, April 30, 2000 8:53 PM
To:   INCIDENTS () SECURITYFOCUS COM
Subject:      large number of probes from 210.97.123.3

This morning I'm seeing a large number of SYN probes from 210.97.123.3.
They all seem to be directed at port 109 (pop2). They also run up our IP
range so I think they're searching our subnet for something.....

Apr 30 06:30:55 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 ->
194.205.???.120:109
Apr 30 06:42:40 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 ->
194.205.???.120:109
Apr 30 06:52:35 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 ->
194.205.???.121:109
Apr 30 07:04:20 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 ->
194.205.???.121:109
Apr 30 07:14:16 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 ->
194.205.???.122:109
Apr 30 07:26:01 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 ->
194.205.???.122:109
Apr 30 07:35:56 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 ->
194.205.???.123:109
Apr 30 07:47:41 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 ->
194.205.???.123:109
Apr 30 07:57:37 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 ->
194.205.???.124:109
Apr 30 08:09:22 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 ->
194.205.???.124:109
Apr 30 08:19:18 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 ->
194.205.???.125:109
Apr 30 08:31:02 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 ->
194.205.???.125:109
Apr 30 08:40:58 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 ->
194.205.???.126:109
Apr 30 08:52:43 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 ->
194.205.???.126:109
Apr 30 09:02:39 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 ->
194.205.???.127:109

Does anyone have any idea what they'd be looking for by using SYN scans
against port 109 ?

210.97.123.3 seems to be a web server... but it's Korean and the only
words
I understand on there are 'Web accelerator'.


---
Jonathan Oddy
Senior system administrator
Woaf Tech
Jonathan () woaf net

Current thread:

large number of probes from 210.97.123.3 Jonathan (Apr 30)
- large number of probes from 210.97.123.3 kj (Apr 30)
- <Possible follow-ups>
- Re: large number of probes from 210.97.123.3 Luff, Darryl (May 01)