Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Interesting scan

From: "Booth, David CWT-MSP" <dbooth () CARLSON COM>
Date: Sun, 18 Feb 2001 13:51:01 -0600
I have a tiny (/30) netblock from my home ISP, enough for my dsl router and
the externl interface of my firewall. My firewall logs pretty much
everything it blocks and this scan pattern has repeated several times over
the last couple of weeks from different IPs. Looks to be a combination of
attempted telnets and imap connections. Since its repeating the same pattern
from different locations I'm guessing its an automated kiddies tool, but
does anyone know which one?


syslog fragment showing one of the scans...

Feb 16 06:16:34 ariadne kernel: Packet log: input DENY eth1 PROTO=6
192.100.161.128:1741 MY.NETWORK.ADDRESS:23 L=60 S=0x00 I=33513 F=0x4000 T=50
SYN (#19)
Feb 16 06:16:34 ariadne kernel: Packet log: input DENY eth1 PROTO=6
192.100.161.128:1742 MY.FIREWALL.EXTERN.IP:23 L=60 S=0x00 I=33514 F=0x4000
T=50 SYN (#19)
Feb 16 06:16:35 dsl.router 000:20:02:30 TCP        Alarm      MTU value
returned by get_ip_mtu was zero
Feb 16 06:16:34 ariadne kernel: Packet log: input DENY eth1 PROTO=6
192.100.161.128:1744 MY.BCAST.ADDRESS:23 L=60 S=0x00 I=33524 F=0x4000 T=50
SYN (#19)
Feb 16 06:16:35 dsl.router 000:20:02:30 TCP        Alarm      MTU value
returned by get_ip_mtu was zero
Feb 16 06:16:35 ariadne kernel: Packet log: input DENY eth1 PROTO=6
192.100.161.128:1744 MY.BCAST.ADDRESS:23 L=40 S=0x00 I=33739 F=0x4000 T=50
(#19)
Feb 16 06:16:35 ariadne kernel: Packet log: input DENY eth1 PROTO=6
192.100.161.128:1744 MY.BCAST.ADDRESS:23 L=40 S=0x00 I=33740 F=0x4000 T=50
(#19)
Feb 16 06:16:35 ariadne kernel: Packet log: input DENY eth1 PROTO=6
192.100.161.128:2867 MY.BCAST.ADDRESS:143 L=60 S=0x00 I=33748 F=0x4000 T=50
SYN (#19)
Feb 16 06:16:35 ariadne kernel: Packet log: input DENY eth1 PROTO=6
192.100.161.128:1744 MY.BCAST.ADDRESS:23 L=40 S=0x00 I=33765 F=0x4000 T=50
(#19)
Feb 16 06:16:36 ariadne kernel: Packet log: input DENY eth1 PROTO=6
192.100.161.128:3517 MY.FIREWALL.EXTERN.IP:143 L=60 S=0x00 I=35501 F=0x4000
T=50 SYN (#19)
Feb 16 06:16:36 ariadne kernel: Packet log: input DENY eth1 PROTO=6
192.100.161.128:3518 MY.NETWORK.ADDRESS:143 L=60 S=0x00 I=35502 F=0x4000
T=50 SYN (#19)
Feb 16 06:16:38 ariadne kernel: Packet log: input DENY eth1 PROTO=6
192.100.161.128:2867 MY.BCAST.ADDRESS:143 L=60 S=0x00 I=36808 F=0x4000 T=50
SYN (#19)
Feb 16 06:16:39 ariadne kernel: Packet log: input DENY eth1 PROTO=6
192.100.161.128:3517 MY.FIREWALL.EXTERN.IP:143 L=60 S=0x00 I=38571 F=0x4000
T=50 SYN (#19)
Feb 16 06:16:39 ariadne kernel: Packet log: input DENY eth1 PROTO=6
192.100.161.128:3518 MY.NETWORK.ADDRESS:143 L=60 S=0x00 I=38572 F=0x4000
T=50 SYN (#19)
Feb 16 06:16:41 ariadne kernel: Packet log: input DENY eth1 PROTO=6
192.100.161.128:1744 MY.BCAST.ADDRESS:23 L=40 S=0x00 I=39511 F=0x4000 T=50
(#19)
Feb 16 06:16:44 ariadne kernel: Packet log: input DENY eth1 PROTO=6
192.100.161.128:2867 MY.BCAST.ADDRESS:143 L=60 S=0x00 I=40888 F=0x4000 T=50
SYN (#19)
Feb 16 06:16:45 dsl.router 000:20:02:40 TCP        Alarm      MTU value
returned by get_ip_mtu was zero
Feb 16 06:16:45 ariadne kernel: Packet log: input DENY eth1 PROTO=6
192.100.161.128:3323 MY.BCAST.ADDRESS:23 L=60 S=0x00 I=41967 F=0x4000 T=50
SYN (#19)
Feb 16 06:16:45 dsl.router 000:20:02:40 TCP        Alarm      MTU value
returned by get_ip_mtu was zero^M
Feb 16 06:16:45 ariadne kernel: Packet log: input DENY eth1 PROTO=6
192.100.161.128:3323 MY.BCAST.ADDRESS:23 L=40 S=0x00 I=42189 F=0x4000 T=50
(#19)
Feb 16 06:16:45 ariadne kernel: Packet log: input DENY eth1 PROTO=6
192.100.161.128:3323 MY.BCAST.ADDRESS:23 L=40 S=0x00 I=42190 F=0x4000 T=50
(#19)
Feb 16 06:16:45 ariadne kernel: Packet log: input DENY eth1 PROTO=6
192.100.161.128:3323 MY.BCAST.ADDRESS:23 L=40 S=0x00 I=42191 F=0x4000 T=50
(#19)


Dave Booth CWT-MSP
dbooth () carlson com
Previous By Date Next
Previous By Thread Next

Current thread: