|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: web related oddity
From: Matthew S. Hallacy (poptix
HYDROGEN.POPTIX.NET)Date: Wed Mar 08 2000 - 05:11:10 CST
- Next message: Omachonu Ogali: "Re: Mail Server attack"
- Previous message: Pavel Kankovsky: "Re: lots of interest in port 109 (POP2)"
- In reply to: Donald McLachlan: "Re: web related oddity"
- Next in thread: Bill Pennington: "Re: web related oddity"
- Next in thread: Ryan Russell: "Re: web related oddity"
- Reply: Matthew S. Hallacy: "Re: web related oddity"
- Reply: Bill Pennington: "Re: web related oddity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hello,
This morning while browsing through syslog I noticed this:
Logs are CST
Mar 8 03:06:04 venus PAM_pwdb[26675]: check pass; user unknown
Mar 8 03:06:04 venus PAM_pwdb[26676]: check pass; user unknown
Mar 8 03:06:20 venus ftpd: 212.188.142.27: connected: IDLE [531 spaces] [26675]: FTP session closed
Mar 8 03:06:20 venus ftpd: 212.188.142.27: connected: IDLE [531 spaces] [26676]: FTP session closed
Mar 8 03:06:20 venus ftpd: 212.188.142.27: connected: IDLE [531 spaces] [26675]: FTP session closed
Mar 8 03:06:20 venus ftpd: 212.188.142.27: connected: IDLE [531 spaces] [26675]: FTP session closed
Mar 8 03:06:20 venus ftpd: 212.188.142.27: connected: IDLE [531 spaces] [26676]: FTP session closed
Mar 8 03:06:20 venus ftpd: 212.188.142.27: connected: IDLE [531 spaces] [26676]: FTP session closed
ipchains logs from one of the other machines:
Packet log: input ACCEPT eth0 PROTO=6 212.188.142.27:3980
209.32.247.241:21 L=48 S=0x00 I=54697 F=0x4000 T=115 SYN (#14)
Packet log: input ACCEPT eth0 PROTO=6 212.188.142.27:3980
209.32.247.241:21 L=40 S=0x00 I=57001 F=0x4000 T=115 (#14)
Packet log: input ACCEPT eth0 PROTO=6 212.188.142.27:3980
209.32.247.241:21 L=74 S=0x00 I=8618 F=0x4000 T=115 (#14)
Packet log: input ACCEPT eth0 PROTO=6 212.188.142.27:3980
209.32.247.241:21 L=58 S=0x00 I=11178 F=0x4000 T=115 (#14)
Version wu-2.6.0(1) Thu Oct 21 12:27:00 EDT 1999
I recieved the same exact scan on 2 other machines, firewall logs show
that only port 21 was attempted, there was no other traffic from this host
and this was the only /24 that was scanned. (that we own)
Just curious if anyone else had been scanned for something similar, I can
reproduce this by having a failed login, then sending
IDLE [ton of spaces] <cr>
A curiosity about this, is that depending on how many spaces you send,
can determine how many times it sends:
530 Please login with USER and PASS.
inetnum: 212.188.128.0 - 212.188.159.255
netname: SCREAMING-NET
descr: Screaming Free ISP
descr: Froglike ISP, used for Netlink dial customers
descr: London
descr: abuse / hacking reports to abuselocaltel.co.uk
- Next message: Omachonu Ogali: "Re: Mail Server attack"
- Previous message: Pavel Kankovsky: "Re: lots of interest in port 109 (POP2)"
- In reply to: Donald McLachlan: "Re: web related oddity"
- Next in thread: Bill Pennington: "Re: web related oddity"
- Next in thread: Ryan Russell: "Re: web related oddity"
- Reply: Matthew S. Hallacy: "Re: web related oddity"
- Reply: Bill Pennington: "Re: web related oddity"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]