Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Unusual scans seen

From: TJ Jablonowski <t.jablonowski () MAIL-2-GO COM>
Date: Thu, 18 Jan 2001 12:16:59 -0500
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

  Have seen this type of scan just start up in the last couple of
 days.  Starts out with a SYN-FIN scan from port 21 to port 21.  Then
 right afterwards a ftp connection attempted with a user name of
 "ftp" and a password of "root".    


Jan 17 07:27:29 xxxxxxxx iplog[8610]: TCP: ftp connection attempt
from cd-189-25.ra30.dc.capu.net:21
Jan 17 07:27:29 xxxxxxxx iplog[8610]: TCP: ftp connection attempt
from cd-189-25.ra30.dc.capu.net:3195
Jan 17 07:42:24 xxxxxxxx iplog[8610]: TCP: ftp connection attempt
from next2.cjr.shizuoka.ac.jp:21
Jan 17 07:42:26 xxxxxxxx iplog[8610]: TCP: ftp connection attempt
from next2.cjr.shizuoka.ac.jp:2035
Jan 17 07:27:29 xxxxxxxx xinetd[446]: FAIL: ftp address
from=64.50.170.25
Jan 17 07:27:29 xxxxxxxx xinetd[5548]: USERID: ftp OTHER :root
Jan 17 07:42:27 xxxxxxxx xinetd[446]: FAIL: ftp address
from=133.70.180.9
Jan 17 07:42:28 xxxxxxxx xinetd[5644]: USERID: ftp OTHER :root


[**] spp_portscan: PORTSCAN DETECTED from 64.50.170.25 (STEALTH) [**]
01/17-07:27:29.312368
[**] IDS198 - SCAN-SYN FIN [**]
01/17-07:27:29.311716 64.50.170.25:21 -> xxx.xxx.xxx.xxx:21
TCP TTL:24 TOS:0x0 ID:39426
**SF**** Seq: 0x55C0CE70   Ack: 0x458EB528   Win: 0x404

[**] spp_portscan: portscan status from 64.50.170.25: 2 connections
across 1 hosts: TCP(2), UDP(0) STEALTH [**]
01/17-07:27:44.361658
[**] spp_portscan: End of portscan from 64.50.170.25: TOTAL time(0s)
hosts(1) TCP(2) UDP(0) STEALTH [**]
01/17-07:28:25.961614

[**] spp_portscan: PORTSCAN DETECTED from 133.70.180.9 (STEALTH) [**]
01/17-07:42:24.689036
[**] IDS198 - SCAN-SYN FIN [**]
01/17-07:42:24.688902 133.70.180.9:21 -> xxx.xxx.xxx.xxx:21
TCP TTL:24 TOS:0x0 ID:39426
**SF**** Seq: 0x73F45439   Ack: 0x37D9803C   Win: 0x404

[**] spp_portscan: portscan status from 133.70.180.9: 2 connections
across 1 hosts: TCP(2), UDP(0) STEALTH [**]
01/17-07:43:45.125899
[**] spp_portscan: End of portscan from 133.70.180.9: TOTAL time(2s)
hosts(1) TCP(2) UDP(0) STEALTH [**]
01/17-07:44:59.378866



-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0

iQA/AwUBOmclCG+7g8loOAk5EQKP5wCfSNXGc9J4jDzvgTgPMzUEnbQ+8V4Anjtk
XlphmXr5wMuetOTN6Mu5CbFu
=IzSm
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: