Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: is this an attack?

From: "Ronneil Camara" <ronneilc () remingtonltd com>
Date: Mon, 28 Jan 2002 08:28:07 -0600
Hi John,

Then that is bad. Because, our fw is being used to check open relays internally.

From what I saw last night, it even scans 80, 110. It's really weird.


I've never seen those packets before.

-> -----Original Message-----
-> From: John Berkers [mailto:berjo () ozemail com au]
-> Sent: Monday, January 28, 2002 5:24 AM
-> To: snort-users () lists sourceforge net
-> Subject: RE: [Snort-users] is this an attack?
-> 
-> 
-> This looks to me (from the content) like a system scanning 
-> for open SMTP
-> relays.
-> 
-> Open SMTP relays are what allows a lot of the spam we receive in our
-> mailboxes to be sent anonymously.  My guess is that Remington Ltd is
-> actively scanning the Internet for open relays.
-> 
-> If you have no open relays then you have nothing to worry about.
-> 
-> Regards,
-> 
-> John Berkers
-> berjo () ozemail com au
-> 
-> 
-> 
-> -----Original Message-----
-> From: snort-users-admin () lists sourceforge net
-> [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Ronneil
-> Camara
-> Sent: Monday, 28 January 2002 18:42
-> To: snort-users () lists sourceforge net
-> Subject: [Snort-users] is this an attack?
-> 
-> 
-> Hi dudes,
-> 
-> I am receiving a lot of smtp connection atttempts from our checkpoint
-> firewall-1. Is it an attack? Looks like a SYN scan to me coz 
-> I never see
-> any HELO transaction in the /var/log/maillog.
-> 
-> 01:24:49.777645 cpfw.20771 > antispam.remingtonltd.com.smtp: S
-> 1715098950:1715098950(0) win 5840 <mss 1460,nop,nop,sackOK> (DF)
->   0000: 4500 0030 9fc1 4000 7f06 ee00 41c0 7541  E..0.Á@...î.AÀuA
->   0010: 41c0 7544 5123 0019 663a 5546 0000 0000  AÀuDQ#..f:UF....
->   0020: 7002 16d0 f18c 0000 0204 05b4 0101 0402  p..Ðñ......´....
-> 
-> 01:24:49.777760 antispam.remingtonltd.com.smtp > cpfw.20771: S
-> 2880971570:2880971570(0) ack 1715098951 win 17520 <mss
-> 1460,nop,nop,sackOK> (DF)
->   0000: 4500 0030 59f4 4000 4006 72ce 41c0 7544  E..0Yô@.@.rÎAÀuD
->   0010: 41c0 7541 0019 5123 abb8 2332 663a 5547  AÀuA..Q#«¸#2f:UG
->   0020: 7012 4470 f4f0 0000 0204 05b4 0101 0402  p.Dpôð.....´....
-> 
-> 01:24:49.778486 cpfw.20771 > antispam.remingtonltd.com.smtp: 
-> . ack 1 win
-> 5840 (DF)
->   0000: 4500 0028 9fc2 4000 7f06 ee07 41c0 7541  E..(.Â@...î.AÀuA
->   0010: 41c0 7544 5123 0019 663a 5547 abb8 2333  AÀuDQ#..f:UG«¸#3
->   0020: 5010 16d0 4f55 0000 0000 0000 0000       P..ÐOU........
-> 
-> 01:24:49.781016 antispam.remingtonltd.com.smtp > cpfw.20771: P
-> 1:107(106) ack 1 win 17520 (DF)
->   0000: 4500 0092 21f2 4000 4006 aa6e 41c0 7544  E...!ò@.@.ªnAÀuD
->   0010: 41c0 7541 0019 5123 abb8 2333 663a 5547  AÀuA..Q#«¸#3f:UG
->   0020: 5018 4470 960f 0000 3232 3020 616e 7469  P.Dp....220 anti
->   0030: 7370 616d 2e72 656d 696e 6774 6f6e 6c74  spam.remingtonlt
->   0040: 642e 636f 6d20 4553 4d54 5020 5365 7276  d.com ESMTP Serv
->   0050: 6572                                     er
-> 
-> 01:24:49.781930 cpfw.20771 > antispam.remingtonltd.com.smtp: P 1:7(6)
-> ack 107 win 5734 (DF)
->   0000: 4500 002e 9fc3 4000 7f06 ee00 41c0 7541  E....Ã@...î.AÀuA
->   0010: 41c0 7544 5123 0019 663a 5547 abb8 239d  AÀuDQ#..f:UG«¸#.
->   0020: 5018 1666 a793 0000 5155 4954 0d0a       P..f§...QUIT..
-> 
-> 01:24:49.781990 antispam.remingtonltd.com.smtp > cpfw.20771: 
-> . ack 7 win
-> 17514 (DF)
->   0000: 4500 0028 5ad7 4000 4006 71f3 41c0 7544  E..(Z×@.@.qóAÀuD
->   0010: 41c0 7541 0019 5123 abb8 239d 663a 554d  AÀuA..Q#«¸#.f:UM
->   0020: 5010 446a 214b 0000                      P.Dj!K..
-> 
-> 01:24:49.782264 antispam.remingtonltd.com.smtp > cpfw.20771: P
-> 107:116(9) ack 7 win 17520 (DF)
->   0000: 4500 0031 799a 4000 4006 5327 41c0 7544  E..1y.@.@.S'AÀuD
->   0010: 41c0 7541 0019 5123 abb8 239d 663a 554d  AÀuA..Q#«¸#.f:UM
->   0020: 5018 4470 0c5b 0000 3232 3120 4279 650d  P.Dp.[..221 Bye.
->   0030: 0a                                       .
-> 
-> 01:24:49.782313 antispam.remingtonltd.com.smtp > cpfw.20771: F
-> 116:116(0) ack 7 win 17520 (DF)
->   0000: 4500 0028 2ffa 4000 4006 9cd0 41c0 7544  E..(/ú@.@..ÐAÀuD
->   0010: 41c0 7541 0019 5123 abb8 23a6 663a 554d  AÀuA..Q#«¸#¦f:UM
->   0020: 5011 4470 213b 0000                      P.Dp!;..
-> 
-> 01:24:49.783043 cpfw.20771 > antispam.remingtonltd.com.smtp: 
-> . ack 117
-> win 5725 (DF)
->   0000: 4500 0028 9fc4 4000 7f06 ee05 41c0 7541  E..(.Ä@...î.AÀuA
->   0010: 41c0 7544 5123 0019 663a 554d abb8 23a7  AÀuDQ#..f:UM«¸#§
->   0020: 5010 165d 4f4e 0000 0000 0000 0000       P..]ON........
-> 
-> 01:24:49.878137 cpfw.20771 > antispam.remingtonltd.com.smtp: F 7:7(0)
-> ack 117 win 5725 (DF)
->   0000: 4500 0028 9ffb 4000 7f06 edce 41c0 7541  E..(.û@...íÎAÀuA
->   0010: 41c0 7544 5123 0019 663a 554d abb8 23a7  AÀuDQ#..f:UM«¸#§
->   0020: 5011 165d 4f4d 0000 0000 0000 0000       P..]OM........
-> 
-> 01:24:49.878197 antispam.remingtonltd.com.smtp > cpfw.20771: 
-> . ack 8 win
-> 17520 (DF)
->   0000: 4500 0028 66c1 4000 4006 6609 41c0 7544  E..(fÁ@.@.f.AÀuD
->   0010: 41c0 7541 0019 5123 abb8 23a7 663a 554e  AÀuA..Q#«¸#§f:UN
->   0020: 5010 4470 213a 0000                      P.Dp!:..
-> 
-> 01:24:49.878794 cpfw.20771 > antispam.remingtonltd.com.smtp: R
-> 1715098958:1715098958(0) win 0
->   0000: 4500 0028 9ffd 0000 7f06 2dcd 41c0 7541  E..(.ý....-ÍAÀuA
->   0010: 41c0 7544 5123 0019 663a 554e 663a 554e  AÀuDQ#..f:UNf:UN
->   0020: 5004 0000 798d 0000 0000 0000 0000       P...y.........
-> 
-> 
-> Please explain. Thanks.
-> 
-> 
->   
-> neil camara (ronneilc () remingtonltd com) - cc{na|sa}, mcse - pgp
-> 0x777777B2 
-> network/security engineer - dl := +1(847)2.21.0.224 cn :=
-> +1(847)9.80.17.53 
->         echo "I love windows" | sed -e 's/wi/u/g' | cut -f1 -dd | \
->               awk '/u/ {printf("%s %s %six\n",$1,$2,$3)}'
-> -------------------------------------------------------------
-> -----------
-> -- 
->                  ---o0 Statement of Confidentiality 0o--- 
-> The contents of this message and its attachments and subsequent
-> additions are 
-> strictly confidential and proprietary and intended solely for the
-> addressee(s) 
-> hereof.  If you are not the named addressee, or this message has been
-> addressed 
-> to you in error, you are directed not to read, disclose, reproduce,
-> distribute, 
-> disseminate or otherwise use thistransmission.  Delivery of 
-> this message
-> to 
-> any other person other than the intended recipient(s) is not 
-> intended in
-> any 
-> way to waive privilege or confidentiality.  If you have received this
-> transmis- 
-> sion in error, please alert the sender by reply e-mail; we 
-> also request
-> that 
-> you immediately delete this message and its attachments, if any. 
-> 
-> 
-> 
-> 
-> 
-> _______________________________________________
-> Snort-users mailing list
-> Snort-users () lists sourceforge net
-> Go to this URL to change user options or unsubscribe:
-> https://lists.sourceforge.net/lists/listinfo/snort-users
-> Snort-users list archive:
-> http://www.geocrawler.com/redir-sf.php3?list=ort-users
-> 
-> 
-> _______________________________________________
-> Snort-users mailing list
-> Snort-users () lists sourceforge net
-> Go to this URL to change user options or unsubscribe:
-> https://lists.sourceforge.net/lists/listinfo/snort-users
-> Snort-users list archive:
-> http://www.geocrawler.com/redir-sf.php3?list=ort-users
-> 

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: