Security Incidents mailing list archives

Re: web related oddity

From: poptix () HYDROGEN POPTIX NET (Matthew S. Hallacy)
Date: Wed, 8 Mar 2000 05:11:10 -0600


Hello,

  This morning while browsing through syslog I noticed this:

Logs are CST

Mar  8 03:06:04 venus PAM_pwdb[26675]: check pass; user unknown
Mar  8 03:06:04 venus PAM_pwdb[26676]: check pass; user unknown
Mar  8 03:06:20 venus ftpd: 212.188.142.27: connected: IDLE [531 spaces] [26675]: FTP session closed
Mar  8 03:06:20 venus ftpd: 212.188.142.27: connected: IDLE [531 spaces] [26676]: FTP session closed
Mar  8 03:06:20 venus ftpd: 212.188.142.27: connected: IDLE [531 spaces] [26675]: FTP session closed
Mar  8 03:06:20 venus ftpd: 212.188.142.27: connected: IDLE [531 spaces] [26675]: FTP session closed
Mar  8 03:06:20 venus ftpd: 212.188.142.27: connected: IDLE [531 spaces] [26676]: FTP session closed
Mar  8 03:06:20 venus ftpd: 212.188.142.27: connected: IDLE [531 spaces] [26676]: FTP session closed

ipchains logs from one of the other machines:
Packet log: input ACCEPT eth0 PROTO=6 212.188.142.27:3980
209.32.247.241:21 L=48 S=0x00 I=54697 F=0x4000 T=115 SYN (#14)
Packet log: input ACCEPT eth0 PROTO=6 212.188.142.27:3980
209.32.247.241:21 L=40 S=0x00 I=57001 F=0x4000 T=115 (#14)
Packet log: input ACCEPT eth0 PROTO=6 212.188.142.27:3980
209.32.247.241:21 L=74 S=0x00 I=8618 F=0x4000 T=115 (#14)
Packet log: input ACCEPT eth0 PROTO=6 212.188.142.27:3980
209.32.247.241:21 L=58 S=0x00 I=11178 F=0x4000 T=115 (#14)

Version wu-2.6.0(1) Thu Oct 21 12:27:00 EDT 1999

I recieved the same exact scan on 2 other machines, firewall logs show
that only port 21 was attempted, there was no other traffic from this host
and this was the only /24 that was scanned. (that we own)

Just curious if anyone else had been scanned for something similar, I can
reproduce this by having a failed login, then sending
IDLE [ton of spaces] <cr>

A curiosity about this, is that depending on how many spaces you send,
can determine how many times it sends:
530 Please login with USER and PASS.

inetnum:     212.188.128.0 - 212.188.159.255
netname:     SCREAMING-NET
descr:       Screaming Free ISP
descr:       Froglike ISP, used for Netlink dial customers
descr:       London
descr:       abuse / hacking reports to abuse () localtel co uk

Current thread:

Re: web related oddity Oliver Friedrichs (Feb 29)
- <Possible follow-ups>
- Re: web related oddity Richard Bejtlich (Mar 04)
  - Port 33434 and decoy-scanning Jan Roger Wilkens (Mar 08)
    - Re: Port 33434 and decoy-scanning Pete Clements (Mar 08)
    - Re: Port 33434 and decoy-scanning Ryan Russell (Mar 09)
  - Re: web related oddity Ryan Russell (Mar 08)
    - Re: web related oddity Christopher L. Morrow (Mar 08)
- Re: web related oddity Donald McLachlan (Mar 07)
  - Re: web related oddity Matthew S. Hallacy (Mar 08)
    - Re: web related oddity Bill Pennington (Mar 08)
    - ftp scan (was Re: web related oddity) Matthew S. Hallacy (Mar 08)
- Re: web related oddity Donald McLachlan (Mar 08)