Security Incidents mailing list archives

Attacks on port 25

From: vincent.lim () EMASONLINE COM (Vincent Lim)
Date: Fri, 26 May 2000 12:44:31 +0800


I wonder if any of you good ppl can help me intepret these server logs:

Active System Attack Alerts
=-=-=-=-=-=-=-=-=-=-=-=-=-=
May 26 11:01:27 pop3 portsentry[358]: attackalert: SYN/Normal scan from
host:
f139.law8.hotmail.com/216.33.241.139 to TCP port: 25
May 26 11:01:27 pop3 portsentry[358]: attackalert: Host 216.33.241.139
has been blocked via
wrappers with string: "ALL: 216.33.241.139"
May 26 11:01:27 pop3 portsentry[358]: attackalert: Host 216.33.241.139
has been blocked via
dropped route using command: "/sbin/ipchains -I input -s 216.33.241.139
-j DENY -l"
May 26 11:05:50 pop3 portsentry[358]: attackalert: SYN/Normal scan from
host:
cj.egroups.com/208.50.144.68 to TCP port: 25
May 26 11:05:50 pop3 portsentry[358]: attackalert: Host 208.50.144.68
has been blocked via
wrappers with string: "ALL: 208.50.144.68"
May 26 11:05:50 pop3 portsentry[358]: attackalert: Host 208.50.144.68
has been blocked via
dropped route using command: "/sbin/ipchains -I input -s 208.50.144.68
-j DENY -l"
May 26 11:06:21 pop3 portsentry[358]: attackalert: SYN/Normal scan from
host:
192.228.164.80/192.228.164.80 to TCP port: 25
May 26 11:06:21 pop3 portsentry[358]: attackalert: Host 192.228.164.80
has been blocked via
wrappers with string: "ALL: 192.228.164.80"
May 26 11:06:21 pop3 portsentry[358]: attackalert: Host 192.228.164.80
has been blocked via
dropped route using command: "/sbin/ipchains -I input -s 192.228.164.80
-j DENY -l"
May 26 11:16:39 pop3 portsentry[358]: attackalert: SYN/Normal scan from
host:
dns1.mesiniaga.com.my/202.190.239.3 to TCP port: 25
May 26 11:16:39 pop3 portsentry[358]: attackalert: Host 202.190.239.3
has been blocked via
wrappers with string: "ALL: 202.190.239.3"
May 26 11:16:39 pop3 portsentry[358]: attackalert: Host 202.190.239.3
has been blocked via
dropped route using command: "/sbin/ipchains -I input -s 202.190.239.3
-j DENY -l"
May 26 11:17:20 pop3 portsentry[358]: attackalert: SYN/Normal scan from
host:
emasonline.emasonline.com.my/202.184.188.8 to TCP port: 25
May 26 11:17:20 pop3 portsentry[358]: attackalert: Host 202.184.188.8
has been blocked via
wrappers with string: "ALL: 202.184.188.8"
May 26 11:17:20 pop3 portsentry[358]: attackalert: Host 202.184.188.8
has been blocked via
dropped route using command: "/sbin/ipchains -I input -s 202.184.188.8
-j DENY -l"
May 26 11:17:35 pop3 portsentry[358]: attackalert: SYN/Normal scan from
host:
lists.securityfocus.com/207.126.127.68 to TCP port: 25
May 26 11:17:35 pop3 portsentry[358]: attackalert: Host 207.126.127.68
has been blocked via
wrappers with string: "ALL: 207.126.127.68"
May 26 11:17:35 pop3 portsentry[358]: attackalert: Host 207.126.127.68
has been blocked via
dropped route using command: "/sbin/ipchains -I input -s 207.126.127.68
-j DENY -l"
May 26 11:18:08 pop3 portsentry[358]: attackalert: SYN/Normal scan from
host:
mail.emasonline.com.my/202.184.188.15 to TCP port: 25
May 26 11:18:08 pop3 portsentry[358]: attackalert: Host 202.184.188.15
has been blocked via
wrappers with string: "ALL: 202.184.188.15"
May 26 11:18:08 pop3 portsentry[358]: attackalert: Host 202.184.188.15
has been blocked via
dropped route using command: "/sbin/ipchains -I input -s 202.184.188.15
-j DENY -l"
May 26 11:19:30 pop3 portsentry[358]: attackalert: SYN/Normal scan from
host:
sourceforge.net/198.186.203.33 to TCP port: 25
May 26 11:19:30 pop3 portsentry[358]: attackalert: Host 198.186.203.33
has been blocked via
wrappers with string: "ALL: 198.186.203.33"
May 26 11:19:30 pop3 portsentry[358]: attackalert: Host 198.186.203.33
has been blocked via
dropped route using command: "/sbin/ipchains -I input -s 198.186.203.33
-j DENY -l"
May 26 11:20:05 pop3 portsentry[358]: attackalert: SYN/Normal scan from
host:
192.228.164.136/192.228.164.136 to TCP port: 25
May 26 11:20:05 pop3 portsentry[358]: attackalert: Host 192.228.164.136
has been blocked
via wrappers with string: "ALL: 192.228.164.136"
May 26 11:20:05 pop3 portsentry[358]: attackalert: Host 192.228.164.136
has been blocked
via dropped route using command: "/sbin/ipchains -I input -s
192.228.164.136 -j DENY -l"
May 26 11:21:05 pop3 portsentry[358]: attackalert: SYN/Normal scan from
host:
202.75.176.39/202.75.176.39 to TCP port: 25
May 26 11:21:05 pop3 portsentry[358]: attackalert: Host 202.75.176.39
has been blocked via
wrappers with string: "ALL: 202.75.176.39"
May 26 11:21:05 pop3 portsentry[358]: attackalert: Host 202.75.176.39
has been blocked via
dropped route using command: "/sbin/ipchains -I input -s 202.75.176.39
-j DENY -l"
May 26 11:21:26 pop3 portsentry[358]: attackalert: SYN/Normal scan from
host:
kepler.shelby.com/207.90.155.76 to TCP port: 25
May 26 11:21:26 pop3 portsentry[358]: attackalert: Host 207.90.155.76
has been blocked via
wrappers with string: "ALL: 207.90.155.76"
May 26 11:21:26 pop3 portsentry[358]: attackalert: Host 207.90.155.76
has been blocked via
dropped route using command: "/sbin/ipchains -I input -s 207.90.155.76
-j DENY -l"
May 26 11:23:20 pop3 portsentry[358]: attackalert: SYN/Normal scan from
host:
venus.likom.com.my/192.228.164.33 to TCP port: 25
May 26 11:23:20 pop3 portsentry[358]: attackalert: Host 192.228.164.33
has been blocked via
wrappers with string: "ALL: 192.228.164.33"
May 26 11:23:20 pop3 portsentry[358]: attackalert: Host 192.228.164.33
has been blocked via
dropped route using command: "/sbin/ipchains -I input -s 192.228.164.33
-j DENY -l"
May 26 11:26:03 pop3 portsentry[358]: attackalert: SYN/Normal scan from
host:
lists.securityfocus.com/207.126.127.68 to TCP port: 25
May 26 11:26:03 pop3 portsentry[358]: attackalert: Host:
lists.securityfocus.com/207.126.127.68 is already blocked Ignoring
May 26 11:26:30 pop3 portsentry[358]: attackalert: SYN/Normal scan from
host:
mail.emasonline.com.my/202.184.188.15 to TCP port: 25
May 26 11:26:30 pop3 portsentry[358]: attackalert: Host:
mail.emasonline.com.my/202.184.188.15 is already blocked Ignoring
May 26 11:28:21 pop3 portsentry[358]: attackalert: SYN/Normal scan from
host:
lists.securityfocus.com/207.126.127.68 to TCP port: 25
May 26 11:28:21 pop3 portsentry[358]: attackalert: Host:
lists.securityfocus.com/207.126.127.68 is already blocked Ignoring

As you can see... list.securityfocus.com is among the attackers.
What could this mean?
hosts with *.emasonline.com.my are my own.

regards,

--
Vincent Lim                     | Contact Number:
Network & System Administrator  | (Office) +6 06-3345666 ext: 2142
EmasOnline Dot Com Sdn Bhd      | (Mobile) +6012-6596609
Add: GPO Melaka, PO Box 22     | (Fax)    +6 06-3355751
      75700, Melaka             | IRC: Ryu @ polaris.starchat.net
mail: Vincent.Lim () EmasOnline com| ICQ: 3884639
url: http://www.EmasOnline.com |

Current thread:

Re: Microsoft version.binding us now?, (continued)
- - Re: Microsoft version.binding us now? Erich Meier (May 29)
- Re: Spoofed ICMP Richard Bejtlich (May 27)
- Re: Spoofed ICMP "destination unreachable" - DOS? Steve Reid (May 27)
- Re: Spoofed ICMP "destination unreachable" - DOS? Aussie (May 24)
  - ICMP attack in progress? Lic. Rodolfo Gonzalez Gonzalez (May 25)
    - Re: ICMP attack in progress? Crist J. Clark (May 25)
    - Re: ICMP attack in progress? Jason Storm (May 26)
  - afs3 exploit?? elijah wright (May 25)
    - Strange Happenings @Home Fred Hirsch (May 30)
  - AMDROCKS Jim Williams (May 25)
    - Attacks on port 25 Vincent Lim (May 25)
    - Re: Attacks on port 25 Ryan Russell (May 26)
    - Re: Attacks on port 25 Bill Lavalette (May 28)
    - Re: Attacks on port 25 RayW (May 29)
    - invalid icmp in linux? Eric LeBlanc (May 27)
    - Re: invalid icmp in linux? Jose Nazario (May 28)
    - weird scan pattern Joe H (May 28)
    - Re: weird scan pattern Russell Fulton (May 29)
    - IDS: Scan of the week Lance Spitzner (May 30)
    - 5 scans of 12345 in a couple of hours. AUSCERT#36349 Russell Fulton (May 31)
    - Taiwan server compromise Claudiu Costin (May 26)

(Thread continues...)