Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Attacks on port 25

From: rayw () SECURENETWORKS CC (RayW)
Date: Mon, 29 May 2000 21:55:01 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I have seen this also on popular IDS systems (SessionWall-3, NFR
4.0.1 etc. etc.), what the problem is is that the IDS system is
experiencing a false positive due to the contents of the email i.e.
debug, root, etc. etc. the portsentry error would probably be from
the advanced TCP mode detection mechanism.

Later,

RayW

- -----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of Bill Lavalette
Sent: Sunday, May 28, 2000 7:29 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Attacks on port 25

I have been getting that too...

our IDS system sees it as this

'Email_Debug' event detected by the RealSecure engine at 'freakory'.
Details:
        Source Address: 207.126.127.68
        Source Port: 55058
        Source MAC Address: 00:20:6F:05:2D:BE
        Destination Address: 216.200.165.211
        Destination Port: E-mail (25)
        Destination MAC Address: 00:10:5A:22:1D:B0
        Time: Friday, May 19, 2000 01:27:24
        Protocol: TCP (6)
         Priority: high
        Actions mask: 0x245
 I have about a 150 of these such alerts

any clue what is going on?

Regards

Bill

Bill Lavalette
Security/Systems Admin ndrs.com
Dallas Texas NOC
http://www.ndrs.com
PH:817.652.3882
Email: Operations () ndrsnet com

- -----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of Ryan Russell
Sent: Friday, May 26, 2000 4:28 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Attacks on port 25

On Fri, 26 May 2000, Vincent Lim wrote:


=-=-=-=-=-=-=-=-=-=-=-=-=-=
May 26 11:01:27 pop3 portsentry[358]: attackalert: SYN/Normal scan
from host:
f139.law8.hotmail.com/216.33.241.139 to TCP port: 25


Well, basiclly it's indicating that you're getting connections to
port
25.  This would indicate people probing for mail servers.  This might
be
considered hostile *IF* you're not running a mail server.  I suspect
you're running a mail server on that port, and other mail servers are
just
trying to send you mail.  By alerting on and blocking these machines,
you're cutting your mail access off.


May 26 11:28:21 pop3 portsentry[358]: attackalert: SYN/Normal scan
from host:
lists.securityfocus.com/207.126.127.68 to TCP port: 25
May 26 11:28:21 pop3 portsentry[358]: attackalert: Host:
lists.securityfocus.com/207.126.127.68 is already blocked Ignoring

As you can see... list.securityfocus.com is among the attackers.
What could this mean?


It means you're subscribed to one of our lists... and you're probably
not
going to get this reply. :)

I can say pretty confidently that we're not attacking you in any way.
 I
think you're just monitoring for acticivty which could be suspicious
on a
non-mail server, but is just fine on a machine that is supposed to
get
mail.

                                        Ryan

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBOTMtgaDIlg8vp3Q0EQJEWwCgxc5CwWWxnvlwcec9IVeh4ZnqBf0An35j
9cgZ8KuRwtcGOpEFhULESY3i
=Fqr9
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: