Security Incidents mailing list archives

Re: web related oddity

From: billp () ROCKETCASH COM (Bill Pennington)
Date: Wed, 8 Mar 2000 10:13:12 -0800


Some scan a few boxes in my address space for FTP servers yesterday as
well.

Snort log:

Mar  7 16:01:19 @homeIP:4874 -> 1.2.3.232:21 SYN **S*****
Mar  7 16:01:25 @homeIP:4870 -> 1.2.3.228:21 SYN **S*****
Mar  7 16:01:25 @homeIP:4871 -> 1.2.3.229:21 SYN **S*****
Mar  7 16:01:25 @homeIP:4874 -> 1.2.3.232:21 SYN **S*****
Mar  7 16:01:25 @homeIP:4868 -> 1.2.3.226:21 SYN **S*****
Mar  7 16:01:25 @homeIP:4872 -> 1.2.3.230:21 SYN **S*****
Mar  7 16:01:25 @homeIP:4869 -> 1.2.3.227:21 SYN **S*****

Sinc I don't run any ftp services I assume he/she moved on. I have no
further activity from this IP address.

"Matthew S. Hallacy" wrote:


Hello,

  This morning while browsing through syslog I noticed this:

Logs are CST

Mar  8 03:06:04 venus PAM_pwdb[26675]: check pass; user unknown
Mar  8 03:06:04 venus PAM_pwdb[26676]: check pass; user unknown
Mar  8 03:06:20 venus ftpd: 212.188.142.27: connected: IDLE [531 spaces] [26675]: FTP session closed
Mar  8 03:06:20 venus ftpd: 212.188.142.27: connected: IDLE [531 spaces] [26676]: FTP session closed
Mar  8 03:06:20 venus ftpd: 212.188.142.27: connected: IDLE [531 spaces] [26675]: FTP session closed
Mar  8 03:06:20 venus ftpd: 212.188.142.27: connected: IDLE [531 spaces] [26675]: FTP session closed
Mar  8 03:06:20 venus ftpd: 212.188.142.27: connected: IDLE [531 spaces] [26676]: FTP session closed
Mar  8 03:06:20 venus ftpd: 212.188.142.27: connected: IDLE [531 spaces] [26676]: FTP session closed

ipchains logs from one of the other machines:
Packet log: input ACCEPT eth0 PROTO=6 212.188.142.27:3980
209.32.247.241:21 L=48 S=0x00 I=54697 F=0x4000 T=115 SYN (#14)
Packet log: input ACCEPT eth0 PROTO=6 212.188.142.27:3980
209.32.247.241:21 L=40 S=0x00 I=57001 F=0x4000 T=115 (#14)
Packet log: input ACCEPT eth0 PROTO=6 212.188.142.27:3980
209.32.247.241:21 L=74 S=0x00 I=8618 F=0x4000 T=115 (#14)
Packet log: input ACCEPT eth0 PROTO=6 212.188.142.27:3980
209.32.247.241:21 L=58 S=0x00 I=11178 F=0x4000 T=115 (#14)

Version wu-2.6.0(1) Thu Oct 21 12:27:00 EDT 1999

I recieved the same exact scan on 2 other machines, firewall logs show
that only port 21 was attempted, there was no other traffic from this host
and this was the only /24 that was scanned. (that we own)

Just curious if anyone else had been scanned for something similar, I can
reproduce this by having a failed login, then sending
IDLE [ton of spaces] <cr>

A curiosity about this, is that depending on how many spaces you send,
can determine how many times it sends:
530 Please login with USER and PASS.

inetnum:     212.188.128.0 - 212.188.159.255
netname:     SCREAMING-NET
descr:       Screaming Free ISP
descr:       Froglike ISP, used for Netlink dial customers
descr:       London
descr:       abuse / hacking reports to abuse () localtel co uk


--

Bill Pennington
Senior IT Manager
Rocketcash
billp () rocketcash com
http://www.rocketcash.com

Current thread:

Re: web related oddity Oliver Friedrichs (Feb 29)
- <Possible follow-ups>
- Re: web related oddity Richard Bejtlich (Mar 04)
  - Port 33434 and decoy-scanning Jan Roger Wilkens (Mar 08)
    - Re: Port 33434 and decoy-scanning Pete Clements (Mar 08)
    - Re: Port 33434 and decoy-scanning Ryan Russell (Mar 09)
  - Re: web related oddity Ryan Russell (Mar 08)
    - Re: web related oddity Christopher L. Morrow (Mar 08)
- Re: web related oddity Donald McLachlan (Mar 07)
  - Re: web related oddity Matthew S. Hallacy (Mar 08)
    - Re: web related oddity Bill Pennington (Mar 08)
    - ftp scan (was Re: web related oddity) Matthew S. Hallacy (Mar 08)
- Re: web related oddity Donald McLachlan (Mar 08)