Security Incidents mailing list archives
Odd connection attempts from many addresses
From: John Bland <shrike () cmp liv ac uk>
Date: 19 Jan 2002 18:37:51 -0000
Hi, I've been seeing, over the past week, a constant stream of odd connection attempts to two of my machines. The firewall logs show things like (where A,B,C,D are addresses in quite separate address spaces and X is the local machine): A:1200 X:41000 A:1200 X:41000 A:1200 X:41000 B:1340 X:41001 B:1340 X:41001 B:1340 X:41001 C:2100 X:41002C:2100 X:41002 C:2100 X:41002 D:1130 X:41003 D:1130 X:41003 D:1130 X:41003 (all TCP) ie we're receiving connection attempts from quite varied addresses (all types of uk dialup and adsl, the odd ac.uk and even some .edu) always to the same machine from random high ports to a monotonically increasing destination port. However, the destination port seems a bit of an odd one to be trying to connect to. I 'investigated' some of the connecting machines and what I can tell from those that were on static ips is that they are Windows machines (surprise!) running a whole gamete of services including netbios-ns, ldap and irc-serv as well as dns and http etc etc. And stateless firewalls. Basically, has anyone seen this sort of thing before? And if so what form of exploit is it attempting? It's all bouncing off the firewall atm and is pretty low traffic so I'm not overly concerned, just puzzled. Cheers, JB ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Odd connection attempts from many addresses John Bland (Jan 19)
- Re: Odd connection attempts from many addresses James Hoagland (Jan 25)
- Re: Odd connection attempts from many addresses John Bland (Jan 25)
- Re: Odd connection attempts from many addresses James Hoagland (Jan 25)