Security Incidents mailing list archives
Re: Strange trafic to port 119
From: Valdis Kletnieks <Valdis.Kletnieks () VT EDU>
Date: Mon, 13 Nov 2000 09:52:52 -0500
On Sun, 12 Nov 2000 13:17:28 CST, Omar Herrera <oherrera () PRODIGY NET MX> said: Let me inject a *possible* alternate interpretation. You should of course apply Occam's Razor and any other available information. I'm listing it mostly because I've actually seen something similar....
IP adresses are asigned dynamically by my ISP and packets are not directed to any broadcast address so, as far as I know, they are targeting me directly.
You might want to consider the possibility that the probes are intended for the *previous* owner of that IP address. The previous guy comes on, launches his private NNTP server, sends mail to his eleet buddies saying where it is now, and they start pounding on it. His connection drops, you get the IP address, and his eleet buddies keep trying for a while wondering why the server isn't answering. Could also be the guy announced the address with a typo in it. ;)
As you can see, 2 of these sources show more than any: 148.246.45.107 62.42.0.213
148.246.45.107 seems to be (with a high probability) a Win 2000 machine 62.42.0.213 might be an Aix2.4 (probably inacurate)
AIX 2.4 never existed. Probably should be AIX 4.2 (which is outdated, unsupported, and quite possibly easily hackable).
I ran nmap on these two but I can't find any relation to each other. I also checked for any strange parameters con the packets but couldn't find anything, here is a sample:
Again, if those 2 addresses are dialups, you run the risk of nmap'ing the next machine that happens to get the address (unless you're nmap'ing during or RIGHT after the incident).
At 12:38 nntp packets stopped but snort started to alert me of several nmap probes to my machine, source adresses are random and too many so I
At 12:38, one of the eleet friends finally clues in that they're pounding the wrong machine. ;) -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
Attachment:
_bin
Description:
Current thread:
- Strange trafic to port 119 Omar Herrera (Nov 13)
- Re: Strange trafic to port 119 Valdis Kletnieks (Nov 14)