Security Incidents mailing list archives
very strange scan patterns
From: joe () ITS UNIMELB EDU AU (Joe H)
Date: Mon, 5 Jun 2000 22:48:59 +1000
Hi all On three separate reports (on the same day) from the admins of host "magpie" we got
Jun 3 14:06:41 magpie telnetd[22385]: refused connect from
pc253-177.ourdomain.com "magpie" again
Jun 3 13:41:43 magpie telnetd[21960]: refused connect from
pc253-19.ourdomain.com
Jun 3 13:42:04 magpie telnetd[22001]: refused connect from
pc253-19.ourdomain.com
Jun 3 13:44:37 magpie telnetd[22136]: refused connect from
pc253-19.ourdomain.com
Jun 3 18:05:42 magpie telnetd[25566]: refused connect from
pc253-19.ourdomain.com "krefti" and "magpie"
Jun 3 13:41:08 krefti telnetd[7672]: refused connect from tin.ourdomain.com Jun 3 13:33:44 magpie telnetd[21859]: refused connect from
tin.ourdomain.com
Jun 3 13:35:17 magpie telnetd[21874]: refused connect from
tin.ourdomain.com So we have remote telnet connections from three of our hosts. I have not overruled the posssibility that the three ourdomain hosts have been comprimised, but unlikely. It looks like a probe (perhaps using nmap with the -sS option to spoof the source address) - port 23 gets noticed sinced it's obviously wrappered. Unless it is some sort of host "bouncing/reflecting" from the real attacker to hosts "ourdomain" back to hosts to magpie and kefti. Can anyone explain this apparent activity or know the signature for this attack? Thanks Joe
Current thread:
- Re: Microsoft version.binding us now? Fernando Cardoso (May 30)
- <Possible follow-ups>
- Re: Microsoft version.binding us now? Klaus Steding-Jessen (May 30)
- Re: Microsoft version.binding us now? Bill Marquette (Jun 01)
- Re: Microsoft version.binding us now? Thijs Eilander (May 30)
- Re: Microsoft version.binding us now? Bill Marquette (Jun 01)
- Re: Microsoft version.binding us now? Richard Bejtlich (Jun 02)
- Scan of the Week continued Lance Spitzner (Jun 03)
- very strange scan patterns Joe H (Jun 05)
- Re: very strange scan patterns John Kristoff (Jun 05)
- Sub-7 Khan, Mansoor (Jun 05)
- Re: Sub-7 James Stevenson (Jun 08)
- Re: Sub-7 Matthew F. Caldwell (Jun 08)
- Re: Sub-7 nine (Jun 08)
- Strange scans - inquisitive question Paul Rogers (Jun 09)
- Re: Strange scans - inquisitive question Valdis Kletnieks (Jun 11)
- What is this guy doing? Josh Burroughs (Jun 05)
- Re: What is this guy doing? Sebastien Reister (Jun 08)
- AW: What is this guy doing? Peter Roth (Jun 08)