Security Incidents mailing list archives
Interesting scan
From: "Booth, David CWT-MSP" <dbooth () CARLSON COM>
Date: Sun, 18 Feb 2001 13:51:01 -0600
I have a tiny (/30) netblock from my home ISP, enough for my dsl router and the externl interface of my firewall. My firewall logs pretty much everything it blocks and this scan pattern has repeated several times over the last couple of weeks from different IPs. Looks to be a combination of attempted telnets and imap connections. Since its repeating the same pattern from different locations I'm guessing its an automated kiddies tool, but does anyone know which one? syslog fragment showing one of the scans... Feb 16 06:16:34 ariadne kernel: Packet log: input DENY eth1 PROTO=6 192.100.161.128:1741 MY.NETWORK.ADDRESS:23 L=60 S=0x00 I=33513 F=0x4000 T=50 SYN (#19) Feb 16 06:16:34 ariadne kernel: Packet log: input DENY eth1 PROTO=6 192.100.161.128:1742 MY.FIREWALL.EXTERN.IP:23 L=60 S=0x00 I=33514 F=0x4000 T=50 SYN (#19) Feb 16 06:16:35 dsl.router 000:20:02:30 TCP Alarm MTU value returned by get_ip_mtu was zero Feb 16 06:16:34 ariadne kernel: Packet log: input DENY eth1 PROTO=6 192.100.161.128:1744 MY.BCAST.ADDRESS:23 L=60 S=0x00 I=33524 F=0x4000 T=50 SYN (#19) Feb 16 06:16:35 dsl.router 000:20:02:30 TCP Alarm MTU value returned by get_ip_mtu was zero Feb 16 06:16:35 ariadne kernel: Packet log: input DENY eth1 PROTO=6 192.100.161.128:1744 MY.BCAST.ADDRESS:23 L=40 S=0x00 I=33739 F=0x4000 T=50 (#19) Feb 16 06:16:35 ariadne kernel: Packet log: input DENY eth1 PROTO=6 192.100.161.128:1744 MY.BCAST.ADDRESS:23 L=40 S=0x00 I=33740 F=0x4000 T=50 (#19) Feb 16 06:16:35 ariadne kernel: Packet log: input DENY eth1 PROTO=6 192.100.161.128:2867 MY.BCAST.ADDRESS:143 L=60 S=0x00 I=33748 F=0x4000 T=50 SYN (#19) Feb 16 06:16:35 ariadne kernel: Packet log: input DENY eth1 PROTO=6 192.100.161.128:1744 MY.BCAST.ADDRESS:23 L=40 S=0x00 I=33765 F=0x4000 T=50 (#19) Feb 16 06:16:36 ariadne kernel: Packet log: input DENY eth1 PROTO=6 192.100.161.128:3517 MY.FIREWALL.EXTERN.IP:143 L=60 S=0x00 I=35501 F=0x4000 T=50 SYN (#19) Feb 16 06:16:36 ariadne kernel: Packet log: input DENY eth1 PROTO=6 192.100.161.128:3518 MY.NETWORK.ADDRESS:143 L=60 S=0x00 I=35502 F=0x4000 T=50 SYN (#19) Feb 16 06:16:38 ariadne kernel: Packet log: input DENY eth1 PROTO=6 192.100.161.128:2867 MY.BCAST.ADDRESS:143 L=60 S=0x00 I=36808 F=0x4000 T=50 SYN (#19) Feb 16 06:16:39 ariadne kernel: Packet log: input DENY eth1 PROTO=6 192.100.161.128:3517 MY.FIREWALL.EXTERN.IP:143 L=60 S=0x00 I=38571 F=0x4000 T=50 SYN (#19) Feb 16 06:16:39 ariadne kernel: Packet log: input DENY eth1 PROTO=6 192.100.161.128:3518 MY.NETWORK.ADDRESS:143 L=60 S=0x00 I=38572 F=0x4000 T=50 SYN (#19) Feb 16 06:16:41 ariadne kernel: Packet log: input DENY eth1 PROTO=6 192.100.161.128:1744 MY.BCAST.ADDRESS:23 L=40 S=0x00 I=39511 F=0x4000 T=50 (#19) Feb 16 06:16:44 ariadne kernel: Packet log: input DENY eth1 PROTO=6 192.100.161.128:2867 MY.BCAST.ADDRESS:143 L=60 S=0x00 I=40888 F=0x4000 T=50 SYN (#19) Feb 16 06:16:45 dsl.router 000:20:02:40 TCP Alarm MTU value returned by get_ip_mtu was zero Feb 16 06:16:45 ariadne kernel: Packet log: input DENY eth1 PROTO=6 192.100.161.128:3323 MY.BCAST.ADDRESS:23 L=60 S=0x00 I=41967 F=0x4000 T=50 SYN (#19) Feb 16 06:16:45 dsl.router 000:20:02:40 TCP Alarm MTU value returned by get_ip_mtu was zero^M Feb 16 06:16:45 ariadne kernel: Packet log: input DENY eth1 PROTO=6 192.100.161.128:3323 MY.BCAST.ADDRESS:23 L=40 S=0x00 I=42189 F=0x4000 T=50 (#19) Feb 16 06:16:45 ariadne kernel: Packet log: input DENY eth1 PROTO=6 192.100.161.128:3323 MY.BCAST.ADDRESS:23 L=40 S=0x00 I=42190 F=0x4000 T=50 (#19) Feb 16 06:16:45 ariadne kernel: Packet log: input DENY eth1 PROTO=6 192.100.161.128:3323 MY.BCAST.ADDRESS:23 L=40 S=0x00 I=42191 F=0x4000 T=50 (#19) Dave Booth CWT-MSP dbooth () carlson com
Current thread:
- Interesting scan Booth, David CWT-MSP (Feb 19)
- <Possible follow-ups>
- Re: Interesting scan Dave Booth (Feb 20)
- Re: Interesting scan Brian Engle (Feb 20)
- Interesting scan Bruce Parkinson (Feb 27)
- Re: Interesting scan Daniel Martin (Feb 27)