Security Incidents mailing list archives
Mass scan : coordinated or spoofed ?
From: Nicolas GREGOIRE <nicolas.gregoire () 7THZONE COM>
Date: Wed, 21 Feb 2001 16:54:38 +0100
Hi all ! Please excuse my poor english One of my Internet host (a FTP server) has been probed this afternoon. The FTP server is protected via TCPwrappers to authorize only a small set of IP. Here the strange thing : It received 44 attempts in less than 4 minutes from 4 differents IP. The 43 first attempts are from 3 IP in the same subnet (XX.XX.XX). The 44th one is from an IP in another subnet (YY.YY.YY). All the 4 boxes respond to ping, run Linux and are in Spain Here the logs : Feb 21 15:14:29 my_ftp_host in.ftpd[32374]: refused connect from XX.XX.XX.67 Feb 21 15:14:36 my_ftp_host in.ftpd[32375]: refused connect from XX.XX.XX.67 Feb 21 15:14:42 my_ftp_host in.ftpd[32376]: refused connect from XX.XX.XX.67 Feb 21 15:14:48 my_ftp_host in.ftpd[32377]: refused connect from XX.XX.XX.67 Feb 21 15:14:53 my_ftp_host in.ftpd[32378]: refused connect from XX.XX.XX.67 Feb 21 15:14:58 my_ftp_host in.ftpd[32379]: refused connect from XX.XX.XX.67 Feb 21 15:15:04 my_ftp_host in.ftpd[32380]: refused connect from XX.XX.XX.67 Feb 21 15:15:09 my_ftp_host in.ftpd[32381]: refused connect from XX.XX.XX.67 Feb 21 15:15:13 my_ftp_host in.ftpd[32382]: refused connect from XX.XX.XX.66 Feb 21 15:15:19 my_ftp_host in.ftpd[32383]: refused connect from XX.XX.XX.66 Feb 21 15:15:24 my_ftp_host in.ftpd[32384]: refused connect from XX.XX.XX.66 Feb 21 15:15:29 my_ftp_host in.ftpd[32385]: refused connect from XX.XX.XX.66 Feb 21 15:15:34 my_ftp_host in.ftpd[32386]: refused connect from XX.XX.XX.66 Feb 21 15:15:39 my_ftp_host in.ftpd[32387]: refused connect from XX.XX.XX.66 Feb 21 15:15:44 my_ftp_host in.ftpd[32388]: refused connect from XX.XX.XX.66 Feb 21 15:15:50 my_ftp_host in.ftpd[32389]: refused connect from XX.XX.XX.66 Feb 21 15:15:55 my_ftp_host in.ftpd[32390]: refused connect from XX.XX.XX.66 Feb 21 15:15:58 my_ftp_host in.ftpd[32391]: refused connect from XX.XX.XX.130 Feb 21 15:16:03 my_ftp_host in.ftpd[32392]: refused connect from XX.XX.XX.130 Feb 21 15:16:09 my_ftp_host in.ftpd[32393]: refused connect from XX.XX.XX.130 Feb 21 15:16:14 my_ftp_host in.ftpd[32394]: refused connect from XX.XX.XX.130 Feb 21 15:16:19 my_ftp_host in.ftpd[32395]: refused connect from XX.XX.XX.130 Feb 21 15:16:24 my_ftp_host in.ftpd[32396]: refused connect from XX.XX.XX.130 Feb 21 15:16:33 my_ftp_host in.ftpd[32398]: refused connect from XX.XX.XX.67 Feb 21 15:16:39 my_ftp_host in.ftpd[32399]: refused connect from XX.XX.XX.67 Feb 21 15:16:45 my_ftp_host in.ftpd[32400]: refused connect from XX.XX.XX.67 Feb 21 15:16:52 my_ftp_host in.ftpd[32401]: refused connect from XX.XX.XX.67 Feb 21 15:16:58 my_ftp_host in.ftpd[32402]: refused connect from XX.XX.XX.67 Feb 21 15:17:07 my_ftp_host in.ftpd[32403]: refused connect from XX.XX.XX.67 Feb 21 15:17:14 my_ftp_host in.ftpd[32404]: refused connect from XX.XX.XX.67 Feb 21 15:17:17 my_ftp_host in.ftpd[32405]: refused connect from XX.XX.XX.67 Feb 21 15:17:22 my_ftp_host in.ftpd[32406]: refused connect from XX.XX.XX.67 Feb 21 15:17:28 my_ftp_host in.ftpd[32407]: refused connect from XX.XX.XX.67 Feb 21 15:17:33 my_ftp_host in.ftpd[32408]: refused connect from XX.XX.XX.67 Feb 21 15:17:39 my_ftp_host in.ftpd[32409]: refused connect from XX.XX.XX.67 Feb 21 15:17:47 my_ftp_host in.ftpd[32410]: refused connect from XX.XX.XX.67 Feb 21 15:17:53 my_ftp_host in.ftpd[32411]: refused connect from XX.XX.XX.67 Feb 21 15:17:58 my_ftp_host in.ftpd[32412]: refused connect from XX.XX.XX.67 Feb 21 15:18:02 my_ftp_host in.ftpd[32413]: refused connect from XX.XX.XX.130 Feb 21 15:18:07 my_ftp_host in.ftpd[32414]: refused connect from XX.XX.XX.130 Feb 21 15:18:13 my_ftp_host in.ftpd[32415]: refused connect from XX.XX.XX.130 Feb 21 15:18:18 my_ftp_host in.ftpd[32416]: refused connect from XX.XX.XX.130 Feb 21 15:18:23 my_ftp_host in.ftpd[32417]: refused connect from XX.XX.XX.130 Feb 21 15:18:28 my_ftp_host in.ftpd[32418]: refused connect from XX.XX.XX.130 Feb 21 15:18:36 my_ftp_host in.ftpd[32419]: refused connect from YY.YY.YY.200 What do you think about it ? Distributed scanning tool ? (so why scan 44 times the same IP/port ?) Spoofed sources ? (but the connection is established before tcpd logged it) Another idea ? Thanks in advance ... Nicob
Current thread:
- Mass scan : coordinated or spoofed ? Nicolas GREGOIRE (Feb 21)
- Re: Mass scan : coordinated or spoofed ? Nicolas GREGOIRE (Feb 26)
- <Possible follow-ups>
- Re: Mass scan : coordinated or spoofed ? Nicolas GREGOIRE (Feb 26)