Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Denial of service attack on port 6667

From: vlima () csc com
Date: Thu, 12 Jul 2001 09:22:25 -0400
Hi folks,

I've been monitoring this list for a long time, but this is my first post.
Bear with me if I dont provide enough information.

Last night i've noticed an unusual high amount of connections to my IRCD
server running on freebsd.  I first thought that it was normal as our max
number of connections was set at 20 and was fully used. I increased it to
50, and immediately all 50 allowed connections were taken.  Upon further
investigation, found the following types of port 6667 connections that is
unusually high for the type of irc service we run:

tcp4       0      0  server1.6667           145.253.166.229.64981
FIN_WAIT_2
tcp4       0      0  server1.6667           145.253.166.229.64980
FIN_WAIT_2
tcp4       0      0  server1.6667           145.253.166.229.64978
FIN_WAIT_2
tcp4       0      0  server1.6667           212.238.51.186.1090
FIN_WAIT_2
tcp4       0      0  server1.6667           62.227.41.47.1692
FIN_WAIT_2
tcp4       0      0  server1.6667           61.124.14.54.63861
FIN_WAIT_2
tcp4       0      0  server1.6667           24.14.155.186.13182
FIN_WAIT_2
tcp4       0      0  server1.6667           208.58.112.93.2511
FIN_WAIT_2
tcp4       0      0  server1.6667           24.19.240.186.1024
FIN_WAIT_2
tcp4       0      0  server1.6667           64.252.66.36.2139
FIN_WAIT_2
tcp4       0      0  server1.6667           141.154.121.202.1660
FIN_WAIT_2
tcp4       0      0  server1.6667           172.175.109.119.3227
FIN_WAIT_2
tcp4       0    153  server1.6667           24.70.114.239.1321
FIN_WAIT_1
tcp4       0      0  server1.6667           172.173.142.43.2283
FIN_WAIT_2
tcp4       0      0  server1.6667           208.58.112.93.2509
FIN_WAIT_2
tcp4       0      0  server1.6667           63.21.143.227.1164
FIN_WAIT_2
tcp4       0   1406  server1.6667           172.169.173.240.1028
FIN_WAIT_1

The above is just a short example.  My question is if there are any known
denial of service attacks on ircd at this moment? This box only runs
apache, ftp, qmail, and ircd. But I was seeing *many* more connections on
ports that should not be connecting (i.e. port scanning tip?). Is there any
vulnerability that is well known to "show up" upon a port scan on a freebsd
server? I run FreeBSD 4.1.1.

Thanks for the help,
Vinnie





----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: