Security Incidents mailing list archives
Unusual scans seen
From: TJ Jablonowski <t.jablonowski () MAIL-2-GO COM>
Date: Thu, 18 Jan 2001 12:16:59 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Have seen this type of scan just start up in the last couple of days. Starts out with a SYN-FIN scan from port 21 to port 21. Then right afterwards a ftp connection attempted with a user name of "ftp" and a password of "root". Jan 17 07:27:29 xxxxxxxx iplog[8610]: TCP: ftp connection attempt from cd-189-25.ra30.dc.capu.net:21 Jan 17 07:27:29 xxxxxxxx iplog[8610]: TCP: ftp connection attempt from cd-189-25.ra30.dc.capu.net:3195 Jan 17 07:42:24 xxxxxxxx iplog[8610]: TCP: ftp connection attempt from next2.cjr.shizuoka.ac.jp:21 Jan 17 07:42:26 xxxxxxxx iplog[8610]: TCP: ftp connection attempt from next2.cjr.shizuoka.ac.jp:2035 Jan 17 07:27:29 xxxxxxxx xinetd[446]: FAIL: ftp address from=64.50.170.25 Jan 17 07:27:29 xxxxxxxx xinetd[5548]: USERID: ftp OTHER :root Jan 17 07:42:27 xxxxxxxx xinetd[446]: FAIL: ftp address from=133.70.180.9 Jan 17 07:42:28 xxxxxxxx xinetd[5644]: USERID: ftp OTHER :root [**] spp_portscan: PORTSCAN DETECTED from 64.50.170.25 (STEALTH) [**] 01/17-07:27:29.312368 [**] IDS198 - SCAN-SYN FIN [**] 01/17-07:27:29.311716 64.50.170.25:21 -> xxx.xxx.xxx.xxx:21 TCP TTL:24 TOS:0x0 ID:39426 **SF**** Seq: 0x55C0CE70 Ack: 0x458EB528 Win: 0x404 [**] spp_portscan: portscan status from 64.50.170.25: 2 connections across 1 hosts: TCP(2), UDP(0) STEALTH [**] 01/17-07:27:44.361658 [**] spp_portscan: End of portscan from 64.50.170.25: TOTAL time(0s) hosts(1) TCP(2) UDP(0) STEALTH [**] 01/17-07:28:25.961614 [**] spp_portscan: PORTSCAN DETECTED from 133.70.180.9 (STEALTH) [**] 01/17-07:42:24.689036 [**] IDS198 - SCAN-SYN FIN [**] 01/17-07:42:24.688902 133.70.180.9:21 -> xxx.xxx.xxx.xxx:21 TCP TTL:24 TOS:0x0 ID:39426 **SF**** Seq: 0x73F45439 Ack: 0x37D9803C Win: 0x404 [**] spp_portscan: portscan status from 133.70.180.9: 2 connections across 1 hosts: TCP(2), UDP(0) STEALTH [**] 01/17-07:43:45.125899 [**] spp_portscan: End of portscan from 133.70.180.9: TOTAL time(2s) hosts(1) TCP(2) UDP(0) STEALTH [**] 01/17-07:44:59.378866 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBOmclCG+7g8loOAk5EQKP5wCfSNXGc9J4jDzvgTgPMzUEnbQ+8V4Anjtk XlphmXr5wMuetOTN6Mu5CbFu =IzSm -----END PGP SIGNATURE-----
Current thread:
- Unusual scans seen TJ Jablonowski (Jan 18)