Security Incidents mailing list archives

Re: Probe from UK Provider ?

From: zeus () TETRONSOFTWARE COM (Gene Harris)
Date: Thu, 20 Jan 2000 21:04:16 -0600


Yes, I observed the same behaviour until I complained.  I
got an email back about some hardware problem.  The probes
were not to specifc ports like yours, but were random.  They
happened over several days.

*==============================================*
*Gene Harris      http://www.tetronsoftware.com*
*FreeBSD Novice                                *
*All ORBS.org SMTP connections are denied!     *
*==============================================*

On Thu, 20 Jan 2000, Pauline van Winsen wrote:

 >
 > Today some guy over here downloaded something from ftp.fishnet.co.uk , and
 > we started to get these entries in our firewall:
 >
 > Jan 18 15:48:36 gw kernel: Packet log: input REJECT eth0 PROTO=6
 > 194.159.150.13: 1161 <my_ip_addr>:80 L=562 S=0x00 I=58886 F=0x4000 T=109

 i see similar problems with most sites hosted by demon.co.uk.
 we send a http/smtp request to a site hosted somewhere in their network
 & we see traffic like:

 tcp 212.240.52.130(2154) -> fw_ip(80)
 tcp 194.217.242.92(1569) -> fw_ip(80)
 tcp 194.217.242.92(2754) -> fw_ip(80)
 tcp 194.217.242.92(48129) -> fw_ip(48129)
 tcp 194.217.242.41(57777) -> fw_ip(80)
 tcp 194.217.242.41(1952) -> fw_ip(80)
 tcp 194.217.242.41(769) -> fw_ip(46939)
 tcp 194.217.242.41(1633) -> fw_ip(80)
 tcp 194.217.242.41(1777) -> fw_ip(80)
 tcp 194.217.242.41(3572) -> fw_ip(80)
 tcp 194.217.242.41(1067) -> fw_ip(80)
 tcp 194.217.242.41(1247) -> fw_ip(80)
 tcp 194.217.242.41(51550) -> fw_ip(80)
 tcp 194.217.242.41(1083) -> fw_ip(80)
 tcp 194.217.242.41(1093) -> fw_ip(80)
 tcp 194.217.242.41(3146) -> fw_ip(21)

 i sent an email to abuse () demon co uk last year in october with little
 success. they mumbled something about problems with hardware
 mangling packets. sigh...
 the fw in question doesn't listen in on port 80 or 21.
 i'd be curious to know if other sites see similar problems.
 we're just blocking the traffic & putting up with the noise
 in the logs for now.

 cheers,
 pauline

Current thread:

Re: IRC-bots: what are they for ?, (continued)
- - - Re: IRC-bots: what are they for ? David Brumley (Jan 12)
    - Re: IRC-bots: what are they for ? The Undernet Bonk (Jan 12)
    - Re: IRC-bots: what are they for ? Filip M. Gieszczykiewicz (Jan 12)
    - Strange behaviour Belgarion of Riva (Jan 13)
    - Re: Strange behaviour Richard Bejtlich (Jan 15)
    - UDP probing [ trojan? ] mabrown () SECUREPIPE COM (Jan 17)
    - Re: UDP probing [ trojan? ] Jose Nazario (Jan 18)
    - Probe from UK Provider ? Duarte Cordeiro (Jan 18)
    - Re: Probe from UK Provider ? Pauline van Winsen (Jan 19)
    - Re: Probe from UK Provider ? Arrigo Triulzi (Jan 20)
    - Re: Probe from UK Provider ? Gene Harris (Jan 20)
    - Re: Probe from UK Provider ? Jason Witty (Jan 20)
    - Solaris BSM Audit Logs Wozz (Jan 17)
    - Re: Strange behaviour John Turner (Jan 17)
    - SMTP bombing Kaupo Palo (Jan 18)
    - Log tools? Chad Day (Jan 17)
    - Re: Log tools? James Phillips (Jan 17)
    - Re: Log tools? Gene Harris (Jan 18)
    - Re: Log tools? Richard Trott (Jan 17)
    - Re: Log tools? Pauline van Winsen (Jan 18)
    - AMD/Port 100099 and portmap Daniel K. Boyd (Jan 18)

(Thread continues...)