Security Incidents mailing list archives
Re: weird scan pattern
From: r.fulton () AUCKLAND AC NZ (Russell Fulton)
Date: Tue, 30 May 2000 11:15:49 +1200
On Mon, 29 May 2000 08:51:13 +1000 Joe H <joe () ITS UNIMELB EDU AU> wrote:
Hi all, Does someone know the signature for this "attack"? Note: A. The host mentioned on the right is one of our hosts B. It is not a possible for someone to be running a probe to the remote host ("proxy...") since no one has perms to run services/programs binding to < port 1023 on ourhost (and ourhost has not been r00ted). C. The remote host appears to be a proxy server Is it a user from "proxy..." who thinks that our host is running a web server (which is is'nt)? What appears strange is the almost exact +1 incrementing port numbers from the source ("proxy....") host. May 28 14:47|proxy.library.uq.edu.au|4114|ourhost.ourdomain.au|80 May 28 14:47|proxy.library.uq.edu.au|4115|ourhost.ourdomain.au|80 May 28 14:47|proxy.library.uq.edu.au|4116|ourhost.ourdomain.au|80 May 28 14:47|proxy.library.uq.edu.au|4117|ourhost.ourdomain.au|80
Nothing sinister here so far as I can tell. What we have is some maching on uq's network repeated trying to access a web server at your addresses via uq's proxy. The request is almost certainly automated and simply keeps trying instead of failing gracefully. Alternatively it is the proxy which is stuck in a loop retrying the connection, i.e. a bug in the proxy software. The strictly sequential nature of the source ports seems to support the latter interpretation. In which case the proxy probably isn't doing anything for anyone else so someone should notice soon. We have seen both these senarios in the past. I trust that you have contacted UQ or AusCERT (who are located at UQ). Cheers, Russell. Russell Fulton, Computer and Network Security Officer, The University of Auckland, New Zealand.
Current thread:
- afs3 exploit??, (continued)
- afs3 exploit?? elijah wright (May 25)
- Strange Happenings @Home Fred Hirsch (May 30)
- AMDROCKS Jim Williams (May 25)
- Attacks on port 25 Vincent Lim (May 25)
- Re: Attacks on port 25 Ryan Russell (May 26)
- Re: Attacks on port 25 Bill Lavalette (May 28)
- Re: Attacks on port 25 RayW (May 29)
- afs3 exploit?? elijah wright (May 25)
- invalid icmp in linux? Eric LeBlanc (May 27)
- Re: invalid icmp in linux? Jose Nazario (May 28)
- weird scan pattern Joe H (May 28)
- Re: weird scan pattern Russell Fulton (May 29)
- IDS: Scan of the week Lance Spitzner (May 30)
- 5 scans of 12345 in a couple of hours. AUSCERT#36349 Russell Fulton (May 31)
- Taiwan server compromise Claudiu Costin (May 26)
- Re: Taiwan server compromise Vortex (May 26)
- port 44767 activity Nathan Fain (May 28)
- Re: AMDROCKS Alejandro (May 26)
- Re: AMDROCKS J. S. Townsley (May 26)
- Re: AMDROCKS Lance Spitzner (May 26)
- Re: AMDROCKS Matthew F. Caldwell (May 26)
- CERT's Handbook for Computer Security Incident Response Teams (CSIRTs) Elias Levy (May 26)