Security Incidents mailing list archives
Attacks on port 25
From: vincent.lim () EMASONLINE COM (Vincent Lim)
Date: Fri, 26 May 2000 12:44:31 +0800
I wonder if any of you good ppl can help me intepret these server logs: Active System Attack Alerts =-=-=-=-=-=-=-=-=-=-=-=-=-= May 26 11:01:27 pop3 portsentry[358]: attackalert: SYN/Normal scan from host: f139.law8.hotmail.com/216.33.241.139 to TCP port: 25 May 26 11:01:27 pop3 portsentry[358]: attackalert: Host 216.33.241.139 has been blocked via wrappers with string: "ALL: 216.33.241.139" May 26 11:01:27 pop3 portsentry[358]: attackalert: Host 216.33.241.139 has been blocked via dropped route using command: "/sbin/ipchains -I input -s 216.33.241.139 -j DENY -l" May 26 11:05:50 pop3 portsentry[358]: attackalert: SYN/Normal scan from host: cj.egroups.com/208.50.144.68 to TCP port: 25 May 26 11:05:50 pop3 portsentry[358]: attackalert: Host 208.50.144.68 has been blocked via wrappers with string: "ALL: 208.50.144.68" May 26 11:05:50 pop3 portsentry[358]: attackalert: Host 208.50.144.68 has been blocked via dropped route using command: "/sbin/ipchains -I input -s 208.50.144.68 -j DENY -l" May 26 11:06:21 pop3 portsentry[358]: attackalert: SYN/Normal scan from host: 192.228.164.80/192.228.164.80 to TCP port: 25 May 26 11:06:21 pop3 portsentry[358]: attackalert: Host 192.228.164.80 has been blocked via wrappers with string: "ALL: 192.228.164.80" May 26 11:06:21 pop3 portsentry[358]: attackalert: Host 192.228.164.80 has been blocked via dropped route using command: "/sbin/ipchains -I input -s 192.228.164.80 -j DENY -l" May 26 11:16:39 pop3 portsentry[358]: attackalert: SYN/Normal scan from host: dns1.mesiniaga.com.my/202.190.239.3 to TCP port: 25 May 26 11:16:39 pop3 portsentry[358]: attackalert: Host 202.190.239.3 has been blocked via wrappers with string: "ALL: 202.190.239.3" May 26 11:16:39 pop3 portsentry[358]: attackalert: Host 202.190.239.3 has been blocked via dropped route using command: "/sbin/ipchains -I input -s 202.190.239.3 -j DENY -l" May 26 11:17:20 pop3 portsentry[358]: attackalert: SYN/Normal scan from host: emasonline.emasonline.com.my/202.184.188.8 to TCP port: 25 May 26 11:17:20 pop3 portsentry[358]: attackalert: Host 202.184.188.8 has been blocked via wrappers with string: "ALL: 202.184.188.8" May 26 11:17:20 pop3 portsentry[358]: attackalert: Host 202.184.188.8 has been blocked via dropped route using command: "/sbin/ipchains -I input -s 202.184.188.8 -j DENY -l" May 26 11:17:35 pop3 portsentry[358]: attackalert: SYN/Normal scan from host: lists.securityfocus.com/207.126.127.68 to TCP port: 25 May 26 11:17:35 pop3 portsentry[358]: attackalert: Host 207.126.127.68 has been blocked via wrappers with string: "ALL: 207.126.127.68" May 26 11:17:35 pop3 portsentry[358]: attackalert: Host 207.126.127.68 has been blocked via dropped route using command: "/sbin/ipchains -I input -s 207.126.127.68 -j DENY -l" May 26 11:18:08 pop3 portsentry[358]: attackalert: SYN/Normal scan from host: mail.emasonline.com.my/202.184.188.15 to TCP port: 25 May 26 11:18:08 pop3 portsentry[358]: attackalert: Host 202.184.188.15 has been blocked via wrappers with string: "ALL: 202.184.188.15" May 26 11:18:08 pop3 portsentry[358]: attackalert: Host 202.184.188.15 has been blocked via dropped route using command: "/sbin/ipchains -I input -s 202.184.188.15 -j DENY -l" May 26 11:19:30 pop3 portsentry[358]: attackalert: SYN/Normal scan from host: sourceforge.net/198.186.203.33 to TCP port: 25 May 26 11:19:30 pop3 portsentry[358]: attackalert: Host 198.186.203.33 has been blocked via wrappers with string: "ALL: 198.186.203.33" May 26 11:19:30 pop3 portsentry[358]: attackalert: Host 198.186.203.33 has been blocked via dropped route using command: "/sbin/ipchains -I input -s 198.186.203.33 -j DENY -l" May 26 11:20:05 pop3 portsentry[358]: attackalert: SYN/Normal scan from host: 192.228.164.136/192.228.164.136 to TCP port: 25 May 26 11:20:05 pop3 portsentry[358]: attackalert: Host 192.228.164.136 has been blocked via wrappers with string: "ALL: 192.228.164.136" May 26 11:20:05 pop3 portsentry[358]: attackalert: Host 192.228.164.136 has been blocked via dropped route using command: "/sbin/ipchains -I input -s 192.228.164.136 -j DENY -l" May 26 11:21:05 pop3 portsentry[358]: attackalert: SYN/Normal scan from host: 202.75.176.39/202.75.176.39 to TCP port: 25 May 26 11:21:05 pop3 portsentry[358]: attackalert: Host 202.75.176.39 has been blocked via wrappers with string: "ALL: 202.75.176.39" May 26 11:21:05 pop3 portsentry[358]: attackalert: Host 202.75.176.39 has been blocked via dropped route using command: "/sbin/ipchains -I input -s 202.75.176.39 -j DENY -l" May 26 11:21:26 pop3 portsentry[358]: attackalert: SYN/Normal scan from host: kepler.shelby.com/207.90.155.76 to TCP port: 25 May 26 11:21:26 pop3 portsentry[358]: attackalert: Host 207.90.155.76 has been blocked via wrappers with string: "ALL: 207.90.155.76" May 26 11:21:26 pop3 portsentry[358]: attackalert: Host 207.90.155.76 has been blocked via dropped route using command: "/sbin/ipchains -I input -s 207.90.155.76 -j DENY -l" May 26 11:23:20 pop3 portsentry[358]: attackalert: SYN/Normal scan from host: venus.likom.com.my/192.228.164.33 to TCP port: 25 May 26 11:23:20 pop3 portsentry[358]: attackalert: Host 192.228.164.33 has been blocked via wrappers with string: "ALL: 192.228.164.33" May 26 11:23:20 pop3 portsentry[358]: attackalert: Host 192.228.164.33 has been blocked via dropped route using command: "/sbin/ipchains -I input -s 192.228.164.33 -j DENY -l" May 26 11:26:03 pop3 portsentry[358]: attackalert: SYN/Normal scan from host: lists.securityfocus.com/207.126.127.68 to TCP port: 25 May 26 11:26:03 pop3 portsentry[358]: attackalert: Host: lists.securityfocus.com/207.126.127.68 is already blocked Ignoring May 26 11:26:30 pop3 portsentry[358]: attackalert: SYN/Normal scan from host: mail.emasonline.com.my/202.184.188.15 to TCP port: 25 May 26 11:26:30 pop3 portsentry[358]: attackalert: Host: mail.emasonline.com.my/202.184.188.15 is already blocked Ignoring May 26 11:28:21 pop3 portsentry[358]: attackalert: SYN/Normal scan from host: lists.securityfocus.com/207.126.127.68 to TCP port: 25 May 26 11:28:21 pop3 portsentry[358]: attackalert: Host: lists.securityfocus.com/207.126.127.68 is already blocked Ignoring As you can see... list.securityfocus.com is among the attackers. What could this mean? hosts with *.emasonline.com.my are my own. regards, -- Vincent Lim | Contact Number: Network & System Administrator | (Office) +6 06-3345666 ext: 2142 EmasOnline Dot Com Sdn Bhd | (Mobile) +6012-6596609 Add: GPO Melaka, PO Box 22 | (Fax) +6 06-3355751 75700, Melaka | IRC: Ryu @ polaris.starchat.net mail: Vincent.Lim () EmasOnline com| ICQ: 3884639 url: http://www.EmasOnline.com |
Current thread:
- Re: Microsoft version.binding us now?, (continued)
- Re: Microsoft version.binding us now? Erich Meier (May 29)
- Re: Spoofed ICMP Richard Bejtlich (May 27)
- Re: Spoofed ICMP "destination unreachable" - DOS? Steve Reid (May 27)
- Re: Spoofed ICMP "destination unreachable" - DOS? Aussie (May 24)
- ICMP attack in progress? Lic. Rodolfo Gonzalez Gonzalez (May 25)
- Re: ICMP attack in progress? Crist J. Clark (May 25)
- Re: ICMP attack in progress? Jason Storm (May 26)
- afs3 exploit?? elijah wright (May 25)
- Strange Happenings @Home Fred Hirsch (May 30)
- AMDROCKS Jim Williams (May 25)
- Attacks on port 25 Vincent Lim (May 25)
- Re: Attacks on port 25 Ryan Russell (May 26)
- Re: Attacks on port 25 Bill Lavalette (May 28)
- Re: Attacks on port 25 RayW (May 29)
- ICMP attack in progress? Lic. Rodolfo Gonzalez Gonzalez (May 25)
- invalid icmp in linux? Eric LeBlanc (May 27)
- Re: invalid icmp in linux? Jose Nazario (May 28)
- weird scan pattern Joe H (May 28)
- Re: weird scan pattern Russell Fulton (May 29)
- IDS: Scan of the week Lance Spitzner (May 30)
- 5 scans of 12345 in a couple of hours. AUSCERT#36349 Russell Fulton (May 31)
- Taiwan server compromise Claudiu Costin (May 26)