Snort mailing list archives
RE: is this an attack?
From: "Ronneil Camara" <ronneilc () remingtonltd com>
Date: Mon, 28 Jan 2002 08:28:07 -0600
Hi John, Then that is bad. Because, our fw is being used to check open relays internally.
From what I saw last night, it even scans 80, 110. It's really weird.
I've never seen those packets before. -> -----Original Message----- -> From: John Berkers [mailto:berjo () ozemail com au] -> Sent: Monday, January 28, 2002 5:24 AM -> To: snort-users () lists sourceforge net -> Subject: RE: [Snort-users] is this an attack? -> -> -> This looks to me (from the content) like a system scanning -> for open SMTP -> relays. -> -> Open SMTP relays are what allows a lot of the spam we receive in our -> mailboxes to be sent anonymously. My guess is that Remington Ltd is -> actively scanning the Internet for open relays. -> -> If you have no open relays then you have nothing to worry about. -> -> Regards, -> -> John Berkers -> berjo () ozemail com au -> -> -> -> -----Original Message----- -> From: snort-users-admin () lists sourceforge net -> [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Ronneil -> Camara -> Sent: Monday, 28 January 2002 18:42 -> To: snort-users () lists sourceforge net -> Subject: [Snort-users] is this an attack? -> -> -> Hi dudes, -> -> I am receiving a lot of smtp connection atttempts from our checkpoint -> firewall-1. Is it an attack? Looks like a SYN scan to me coz -> I never see -> any HELO transaction in the /var/log/maillog. -> -> 01:24:49.777645 cpfw.20771 > antispam.remingtonltd.com.smtp: S -> 1715098950:1715098950(0) win 5840 <mss 1460,nop,nop,sackOK> (DF) -> 0000: 4500 0030 9fc1 4000 7f06 ee00 41c0 7541 E..0.Á@...î.AÀuA -> 0010: 41c0 7544 5123 0019 663a 5546 0000 0000 AÀuDQ#..f:UF.... -> 0020: 7002 16d0 f18c 0000 0204 05b4 0101 0402 p..Ðñ......´.... -> -> 01:24:49.777760 antispam.remingtonltd.com.smtp > cpfw.20771: S -> 2880971570:2880971570(0) ack 1715098951 win 17520 <mss -> 1460,nop,nop,sackOK> (DF) -> 0000: 4500 0030 59f4 4000 4006 72ce 41c0 7544 E..0Yô@.@.rÎAÀuD -> 0010: 41c0 7541 0019 5123 abb8 2332 663a 5547 AÀuA..Q#«¸#2f:UG -> 0020: 7012 4470 f4f0 0000 0204 05b4 0101 0402 p.Dpôð.....´.... -> -> 01:24:49.778486 cpfw.20771 > antispam.remingtonltd.com.smtp: -> . ack 1 win -> 5840 (DF) -> 0000: 4500 0028 9fc2 4000 7f06 ee07 41c0 7541 E..(.Â@...î.AÀuA -> 0010: 41c0 7544 5123 0019 663a 5547 abb8 2333 AÀuDQ#..f:UG«¸#3 -> 0020: 5010 16d0 4f55 0000 0000 0000 0000 P..ÐOU........ -> -> 01:24:49.781016 antispam.remingtonltd.com.smtp > cpfw.20771: P -> 1:107(106) ack 1 win 17520 (DF) -> 0000: 4500 0092 21f2 4000 4006 aa6e 41c0 7544 E...!ò@.@.ªnAÀuD -> 0010: 41c0 7541 0019 5123 abb8 2333 663a 5547 AÀuA..Q#«¸#3f:UG -> 0020: 5018 4470 960f 0000 3232 3020 616e 7469 P.Dp....220 anti -> 0030: 7370 616d 2e72 656d 696e 6774 6f6e 6c74 spam.remingtonlt -> 0040: 642e 636f 6d20 4553 4d54 5020 5365 7276 d.com ESMTP Serv -> 0050: 6572 er -> -> 01:24:49.781930 cpfw.20771 > antispam.remingtonltd.com.smtp: P 1:7(6) -> ack 107 win 5734 (DF) -> 0000: 4500 002e 9fc3 4000 7f06 ee00 41c0 7541 E....Ã@...î.AÀuA -> 0010: 41c0 7544 5123 0019 663a 5547 abb8 239d AÀuDQ#..f:UG«¸#. -> 0020: 5018 1666 a793 0000 5155 4954 0d0a P..f§...QUIT.. -> -> 01:24:49.781990 antispam.remingtonltd.com.smtp > cpfw.20771: -> . ack 7 win -> 17514 (DF) -> 0000: 4500 0028 5ad7 4000 4006 71f3 41c0 7544 E..(Z×@.@.qóAÀuD -> 0010: 41c0 7541 0019 5123 abb8 239d 663a 554d AÀuA..Q#«¸#.f:UM -> 0020: 5010 446a 214b 0000 P.Dj!K.. -> -> 01:24:49.782264 antispam.remingtonltd.com.smtp > cpfw.20771: P -> 107:116(9) ack 7 win 17520 (DF) -> 0000: 4500 0031 799a 4000 4006 5327 41c0 7544 E..1y.@.@.S'AÀuD -> 0010: 41c0 7541 0019 5123 abb8 239d 663a 554d AÀuA..Q#«¸#.f:UM -> 0020: 5018 4470 0c5b 0000 3232 3120 4279 650d P.Dp.[..221 Bye. -> 0030: 0a . -> -> 01:24:49.782313 antispam.remingtonltd.com.smtp > cpfw.20771: F -> 116:116(0) ack 7 win 17520 (DF) -> 0000: 4500 0028 2ffa 4000 4006 9cd0 41c0 7544 E..(/ú@.@..ÐAÀuD -> 0010: 41c0 7541 0019 5123 abb8 23a6 663a 554d AÀuA..Q#«¸#¦f:UM -> 0020: 5011 4470 213b 0000 P.Dp!;.. -> -> 01:24:49.783043 cpfw.20771 > antispam.remingtonltd.com.smtp: -> . ack 117 -> win 5725 (DF) -> 0000: 4500 0028 9fc4 4000 7f06 ee05 41c0 7541 E..(.Ä@...î.AÀuA -> 0010: 41c0 7544 5123 0019 663a 554d abb8 23a7 AÀuDQ#..f:UM«¸#§ -> 0020: 5010 165d 4f4e 0000 0000 0000 0000 P..]ON........ -> -> 01:24:49.878137 cpfw.20771 > antispam.remingtonltd.com.smtp: F 7:7(0) -> ack 117 win 5725 (DF) -> 0000: 4500 0028 9ffb 4000 7f06 edce 41c0 7541 E..(.û@...íÎAÀuA -> 0010: 41c0 7544 5123 0019 663a 554d abb8 23a7 AÀuDQ#..f:UM«¸#§ -> 0020: 5011 165d 4f4d 0000 0000 0000 0000 P..]OM........ -> -> 01:24:49.878197 antispam.remingtonltd.com.smtp > cpfw.20771: -> . ack 8 win -> 17520 (DF) -> 0000: 4500 0028 66c1 4000 4006 6609 41c0 7544 E..(fÁ@.@.f.AÀuD -> 0010: 41c0 7541 0019 5123 abb8 23a7 663a 554e AÀuA..Q#«¸#§f:UN -> 0020: 5010 4470 213a 0000 P.Dp!:.. -> -> 01:24:49.878794 cpfw.20771 > antispam.remingtonltd.com.smtp: R -> 1715098958:1715098958(0) win 0 -> 0000: 4500 0028 9ffd 0000 7f06 2dcd 41c0 7541 E..(.ý....-ÍAÀuA -> 0010: 41c0 7544 5123 0019 663a 554e 663a 554e AÀuDQ#..f:UNf:UN -> 0020: 5004 0000 798d 0000 0000 0000 0000 P...y......... -> -> -> Please explain. Thanks. -> -> -> -> neil camara (ronneilc () remingtonltd com) - cc{na|sa}, mcse - pgp -> 0x777777B2 -> network/security engineer - dl := +1(847)2.21.0.224 cn := -> +1(847)9.80.17.53 -> echo "I love windows" | sed -e 's/wi/u/g' | cut -f1 -dd | \ -> awk '/u/ {printf("%s %s %six\n",$1,$2,$3)}' -> ------------------------------------------------------------- -> ----------- -> -- -> ---o0 Statement of Confidentiality 0o--- -> The contents of this message and its attachments and subsequent -> additions are -> strictly confidential and proprietary and intended solely for the -> addressee(s) -> hereof. If you are not the named addressee, or this message has been -> addressed -> to you in error, you are directed not to read, disclose, reproduce, -> distribute, -> disseminate or otherwise use thistransmission. Delivery of -> this message -> to -> any other person other than the intended recipient(s) is not -> intended in -> any -> way to waive privilege or confidentiality. If you have received this -> transmis- -> sion in error, please alert the sender by reply e-mail; we -> also request -> that -> you immediately delete this message and its attachments, if any. -> -> -> -> -> -> _______________________________________________ -> Snort-users mailing list -> Snort-users () lists sourceforge net -> Go to this URL to change user options or unsubscribe: -> https://lists.sourceforge.net/lists/listinfo/snort-users -> Snort-users list archive: -> http://www.geocrawler.com/redir-sf.php3?list=ort-users -> -> -> _______________________________________________ -> Snort-users mailing list -> Snort-users () lists sourceforge net -> Go to this URL to change user options or unsubscribe: -> https://lists.sourceforge.net/lists/listinfo/snort-users -> Snort-users list archive: -> http://www.geocrawler.com/redir-sf.php3?list=ort-users -> _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- is this an attack? Ronneil Camara (Jan 27)
- RE: is this an attack? John Berkers (Jan 28)
- <Possible follow-ups>
- RE: is this an attack? Ronneil Camara (Jan 28)
- RE: is this an attack? Blake Frantz (Jan 28)