Security Incidents mailing list archives

Mass scan : coordinated or spoofed ?

From: Nicolas GREGOIRE <nicolas.gregoire () 7THZONE COM>
Date: Wed, 21 Feb 2001 16:54:38 +0100
Hi all !

Please excuse my poor english


One of my Internet host (a FTP server) has been probed this afternoon.
The FTP server is protected via TCPwrappers to authorize only a small
set of IP.

Here the strange thing :

It received 44 attempts in less than 4 minutes from 4 differents IP.
The 43 first attempts are from 3 IP in the same subnet (XX.XX.XX).
The 44th one is from an IP in another subnet (YY.YY.YY).

All the 4 boxes respond to ping, run Linux and are in Spain

Here the logs :

Feb 21 15:14:29 my_ftp_host in.ftpd[32374]: refused connect from
XX.XX.XX.67
Feb 21 15:14:36 my_ftp_host in.ftpd[32375]: refused connect from
XX.XX.XX.67
Feb 21 15:14:42 my_ftp_host in.ftpd[32376]: refused connect from
XX.XX.XX.67
Feb 21 15:14:48 my_ftp_host in.ftpd[32377]: refused connect from
XX.XX.XX.67
Feb 21 15:14:53 my_ftp_host in.ftpd[32378]: refused connect from
XX.XX.XX.67
Feb 21 15:14:58 my_ftp_host in.ftpd[32379]: refused connect from
XX.XX.XX.67
Feb 21 15:15:04 my_ftp_host in.ftpd[32380]: refused connect from
XX.XX.XX.67
Feb 21 15:15:09 my_ftp_host in.ftpd[32381]: refused connect from
XX.XX.XX.67
Feb 21 15:15:13 my_ftp_host in.ftpd[32382]: refused connect from
XX.XX.XX.66
Feb 21 15:15:19 my_ftp_host in.ftpd[32383]: refused connect from
XX.XX.XX.66
Feb 21 15:15:24 my_ftp_host in.ftpd[32384]: refused connect from
XX.XX.XX.66
Feb 21 15:15:29 my_ftp_host in.ftpd[32385]: refused connect from
XX.XX.XX.66
Feb 21 15:15:34 my_ftp_host in.ftpd[32386]: refused connect from
XX.XX.XX.66
Feb 21 15:15:39 my_ftp_host in.ftpd[32387]: refused connect from
XX.XX.XX.66
Feb 21 15:15:44 my_ftp_host in.ftpd[32388]: refused connect from
XX.XX.XX.66
Feb 21 15:15:50 my_ftp_host in.ftpd[32389]: refused connect from
XX.XX.XX.66
Feb 21 15:15:55 my_ftp_host in.ftpd[32390]: refused connect from
XX.XX.XX.66
Feb 21 15:15:58 my_ftp_host in.ftpd[32391]: refused connect from
XX.XX.XX.130
Feb 21 15:16:03 my_ftp_host in.ftpd[32392]: refused connect from
XX.XX.XX.130
Feb 21 15:16:09 my_ftp_host in.ftpd[32393]: refused connect from
XX.XX.XX.130
Feb 21 15:16:14 my_ftp_host in.ftpd[32394]: refused connect from
XX.XX.XX.130
Feb 21 15:16:19 my_ftp_host in.ftpd[32395]: refused connect from
XX.XX.XX.130
Feb 21 15:16:24 my_ftp_host in.ftpd[32396]: refused connect from
XX.XX.XX.130
Feb 21 15:16:33 my_ftp_host in.ftpd[32398]: refused connect from
XX.XX.XX.67
Feb 21 15:16:39 my_ftp_host in.ftpd[32399]: refused connect from
XX.XX.XX.67
Feb 21 15:16:45 my_ftp_host in.ftpd[32400]: refused connect from
XX.XX.XX.67
Feb 21 15:16:52 my_ftp_host in.ftpd[32401]: refused connect from
XX.XX.XX.67
Feb 21 15:16:58 my_ftp_host in.ftpd[32402]: refused connect from
XX.XX.XX.67
Feb 21 15:17:07 my_ftp_host in.ftpd[32403]: refused connect from
XX.XX.XX.67
Feb 21 15:17:14 my_ftp_host in.ftpd[32404]: refused connect from
XX.XX.XX.67
Feb 21 15:17:17 my_ftp_host in.ftpd[32405]: refused connect from
XX.XX.XX.67
Feb 21 15:17:22 my_ftp_host in.ftpd[32406]: refused connect from
XX.XX.XX.67
Feb 21 15:17:28 my_ftp_host in.ftpd[32407]: refused connect from
XX.XX.XX.67
Feb 21 15:17:33 my_ftp_host in.ftpd[32408]: refused connect from
XX.XX.XX.67
Feb 21 15:17:39 my_ftp_host in.ftpd[32409]: refused connect from
XX.XX.XX.67
Feb 21 15:17:47 my_ftp_host in.ftpd[32410]: refused connect from
XX.XX.XX.67
Feb 21 15:17:53 my_ftp_host in.ftpd[32411]: refused connect from
XX.XX.XX.67
Feb 21 15:17:58 my_ftp_host in.ftpd[32412]: refused connect from
XX.XX.XX.67
Feb 21 15:18:02 my_ftp_host in.ftpd[32413]: refused connect from
XX.XX.XX.130
Feb 21 15:18:07 my_ftp_host in.ftpd[32414]: refused connect from
XX.XX.XX.130
Feb 21 15:18:13 my_ftp_host in.ftpd[32415]: refused connect from
XX.XX.XX.130
Feb 21 15:18:18 my_ftp_host in.ftpd[32416]: refused connect from
XX.XX.XX.130
Feb 21 15:18:23 my_ftp_host in.ftpd[32417]: refused connect from
XX.XX.XX.130
Feb 21 15:18:28 my_ftp_host in.ftpd[32418]: refused connect from
XX.XX.XX.130
Feb 21 15:18:36 my_ftp_host in.ftpd[32419]: refused connect from
YY.YY.YY.200

What do you think about it ?

Distributed scanning tool ? (so why scan 44 times the same IP/port ?)
Spoofed sources ? (but the connection is established before tcpd logged
it)
Another idea ?


Thanks in advance ...

Nicob
Current thread:

Mass scan : coordinated or spoofed ? Nicolas GREGOIRE (Feb 21)
- Re: Mass scan : coordinated or spoofed ? Nicolas GREGOIRE (Feb 26)
- <Possible follow-ups>
- Re: Mass scan : coordinated or spoofed ? Nicolas GREGOIRE (Feb 26)