Security Incidents mailing list archives
Re: Attacks on port 25
From: rayw () SECURENETWORKS CC (RayW)
Date: Mon, 29 May 2000 21:55:01 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi, I have seen this also on popular IDS systems (SessionWall-3, NFR 4.0.1 etc. etc.), what the problem is is that the IDS system is experiencing a false positive due to the contents of the email i.e. debug, root, etc. etc. the portsentry error would probably be from the advanced TCP mode detection mechanism. Later, RayW - -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of Bill Lavalette Sent: Sunday, May 28, 2000 7:29 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Attacks on port 25 I have been getting that too... our IDS system sees it as this 'Email_Debug' event detected by the RealSecure engine at 'freakory'. Details: Source Address: 207.126.127.68 Source Port: 55058 Source MAC Address: 00:20:6F:05:2D:BE Destination Address: 216.200.165.211 Destination Port: E-mail (25) Destination MAC Address: 00:10:5A:22:1D:B0 Time: Friday, May 19, 2000 01:27:24 Protocol: TCP (6) Priority: high Actions mask: 0x245 I have about a 150 of these such alerts any clue what is going on? Regards Bill Bill Lavalette Security/Systems Admin ndrs.com Dallas Texas NOC http://www.ndrs.com PH:817.652.3882 Email: Operations () ndrsnet com - -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of Ryan Russell Sent: Friday, May 26, 2000 4:28 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: Attacks on port 25 On Fri, 26 May 2000, Vincent Lim wrote:
=-=-=-=-=-=-=-=-=-=-=-=-=-= May 26 11:01:27 pop3 portsentry[358]: attackalert: SYN/Normal scan from host: f139.law8.hotmail.com/216.33.241.139 to TCP port: 25
Well, basiclly it's indicating that you're getting connections to port 25. This would indicate people probing for mail servers. This might be considered hostile *IF* you're not running a mail server. I suspect you're running a mail server on that port, and other mail servers are just trying to send you mail. By alerting on and blocking these machines, you're cutting your mail access off.
May 26 11:28:21 pop3 portsentry[358]: attackalert: SYN/Normal scan from host: lists.securityfocus.com/207.126.127.68 to TCP port: 25 May 26 11:28:21 pop3 portsentry[358]: attackalert: Host: lists.securityfocus.com/207.126.127.68 is already blocked Ignoring As you can see... list.securityfocus.com is among the attackers. What could this mean?
It means you're subscribed to one of our lists... and you're probably not going to get this reply. :) I can say pretty confidently that we're not attacking you in any way. I think you're just monitoring for acticivty which could be suspicious on a non-mail server, but is just fine on a machine that is supposed to get mail. Ryan -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com> iQA/AwUBOTMtgaDIlg8vp3Q0EQJEWwCgxc5CwWWxnvlwcec9IVeh4ZnqBf0An35j 9cgZ8KuRwtcGOpEFhULESY3i =Fqr9 -----END PGP SIGNATURE-----
Current thread:
- Re: Spoofed ICMP "destination unreachable" - DOS?, (continued)
- Re: Spoofed ICMP "destination unreachable" - DOS? Aussie (May 24)
- ICMP attack in progress? Lic. Rodolfo Gonzalez Gonzalez (May 25)
- Re: ICMP attack in progress? Crist J. Clark (May 25)
- Re: ICMP attack in progress? Jason Storm (May 26)
- afs3 exploit?? elijah wright (May 25)
- Strange Happenings @Home Fred Hirsch (May 30)
- AMDROCKS Jim Williams (May 25)
- Attacks on port 25 Vincent Lim (May 25)
- Re: Attacks on port 25 Ryan Russell (May 26)
- Re: Attacks on port 25 Bill Lavalette (May 28)
- Re: Attacks on port 25 RayW (May 29)
- ICMP attack in progress? Lic. Rodolfo Gonzalez Gonzalez (May 25)
- invalid icmp in linux? Eric LeBlanc (May 27)
- Re: invalid icmp in linux? Jose Nazario (May 28)
- weird scan pattern Joe H (May 28)
- Re: weird scan pattern Russell Fulton (May 29)
- IDS: Scan of the week Lance Spitzner (May 30)
- 5 scans of 12345 in a couple of hours. AUSCERT#36349 Russell Fulton (May 31)
- Re: Spoofed ICMP "destination unreachable" - DOS? Aussie (May 24)
- Taiwan server compromise Claudiu Costin (May 26)
- Re: Taiwan server compromise Vortex (May 26)
- port 44767 activity Nathan Fain (May 28)
- Re: AMDROCKS Alejandro (May 26)