Security Incidents mailing list archives
Re: large number of probes from 210.97.123.3
From: DLuff () IITSCDM COM AU (Luff, Darryl)
Date: Mon, 1 May 2000 18:24:20 +1000
In the first half of April I had a flurry of mail (smtp/pop3/pop2) traffic directed to our mail server. We don't allow POP access from the internet at all. It was mainly from 210.x.x.x addresses (Korea and Taipei the ones I checked up on). And on the 27th I had another one trying telnet, imap and pop3 directly to our mail server, also from Taipei (210.208.138.4). In the last week I've had a lot of scans for telnet, and nbname, but it's all been from the US and Mexico.
-----Original Message----- From: Jonathan [SMTP:security () WOAF NET] Sent: Sunday, April 30, 2000 8:53 PM To: INCIDENTS () SECURITYFOCUS COM Subject: large number of probes from 210.97.123.3 This morning I'm seeing a large number of SYN probes from 210.97.123.3. They all seem to be directed at port 109 (pop2). They also run up our IP range so I think they're searching our subnet for something..... Apr 30 06:30:55 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 -> 194.205.???.120:109 Apr 30 06:42:40 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 -> 194.205.???.120:109 Apr 30 06:52:35 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 -> 194.205.???.121:109 Apr 30 07:04:20 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 -> 194.205.???.121:109 Apr 30 07:14:16 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 -> 194.205.???.122:109 Apr 30 07:26:01 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 -> 194.205.???.122:109 Apr 30 07:35:56 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 -> 194.205.???.123:109 Apr 30 07:47:41 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 -> 194.205.???.123:109 Apr 30 07:57:37 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 -> 194.205.???.124:109 Apr 30 08:09:22 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 -> 194.205.???.124:109 Apr 30 08:19:18 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 -> 194.205.???.125:109 Apr 30 08:31:02 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 -> 194.205.???.125:109 Apr 30 08:40:58 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 -> 194.205.???.126:109 Apr 30 08:52:43 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 -> 194.205.???.126:109 Apr 30 09:02:39 dog snort[11541]: SYN FIN Scan: 210.97.123.3:0 -> 194.205.???.127:109 Does anyone have any idea what they'd be looking for by using SYN scans against port 109 ? 210.97.123.3 seems to be a web server... but it's Korean and the only words I understand on there are 'Web accelerator'. --- Jonathan Oddy Senior system administrator Woaf Tech Jonathan () woaf net
Current thread:
- large number of probes from 210.97.123.3 Jonathan (Apr 30)
- large number of probes from 210.97.123.3 kj (Apr 30)
- <Possible follow-ups>
- Re: large number of probes from 210.97.123.3 Luff, Darryl (May 01)