OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: web related oddity
From: Bill Pennington (billpROCKETCASH.COM)
Date: Wed Mar 08 2000 - 12:13:12 CST

Some scan a few boxes in my address space for FTP servers yesterday as
well.

Snort log:

Mar 7 16:01:19 homeIP:4874 -> 1.2.3.232:21 SYN **S*****
Mar 7 16:01:25 homeIP:4870 -> 1.2.3.228:21 SYN **S*****
Mar 7 16:01:25 homeIP:4871 -> 1.2.3.229:21 SYN **S*****
Mar 7 16:01:25 homeIP:4874 -> 1.2.3.232:21 SYN **S*****
Mar 7 16:01:25 homeIP:4868 -> 1.2.3.226:21 SYN **S*****
Mar 7 16:01:25 homeIP:4872 -> 1.2.3.230:21 SYN **S*****
Mar 7 16:01:25 homeIP:4869 -> 1.2.3.227:21 SYN **S*****

Sinc I don't run any ftp services I assume he/she moved on. I have no
further activity from this IP address.

"Matthew S. Hallacy" wrote:
>
> Hello,
>
> This morning while browsing through syslog I noticed this:
>
> Logs are CST
>
> Mar 8 03:06:04 venus PAM_pwdb[26675]: check pass; user unknown
> Mar 8 03:06:04 venus PAM_pwdb[26676]: check pass; user unknown
> Mar 8 03:06:20 venus ftpd: 212.188.142.27: connected: IDLE [531 spaces] [26675]: FTP session closed
> Mar 8 03:06:20 venus ftpd: 212.188.142.27: connected: IDLE [531 spaces] [26676]: FTP session closed
> Mar 8 03:06:20 venus ftpd: 212.188.142.27: connected: IDLE [531 spaces] [26675]: FTP session closed
> Mar 8 03:06:20 venus ftpd: 212.188.142.27: connected: IDLE [531 spaces] [26675]: FTP session closed
> Mar 8 03:06:20 venus ftpd: 212.188.142.27: connected: IDLE [531 spaces] [26676]: FTP session closed
> Mar 8 03:06:20 venus ftpd: 212.188.142.27: connected: IDLE [531 spaces] [26676]: FTP session closed
>
> ipchains logs from one of the other machines:
> Packet log: input ACCEPT eth0 PROTO=6 212.188.142.27:3980
> 209.32.247.241:21 L=48 S=0x00 I=54697 F=0x4000 T=115 SYN (#14)
> Packet log: input ACCEPT eth0 PROTO=6 212.188.142.27:3980
> 209.32.247.241:21 L=40 S=0x00 I=57001 F=0x4000 T=115 (#14)
> Packet log: input ACCEPT eth0 PROTO=6 212.188.142.27:3980
> 209.32.247.241:21 L=74 S=0x00 I=8618 F=0x4000 T=115 (#14)
> Packet log: input ACCEPT eth0 PROTO=6 212.188.142.27:3980
> 209.32.247.241:21 L=58 S=0x00 I=11178 F=0x4000 T=115 (#14)
>
> Version wu-2.6.0(1) Thu Oct 21 12:27:00 EDT 1999
>
> I recieved the same exact scan on 2 other machines, firewall logs show
> that only port 21 was attempted, there was no other traffic from this host
> and this was the only /24 that was scanned. (that we own)
>
> Just curious if anyone else had been scanned for something similar, I can
> reproduce this by having a failed login, then sending
> IDLE [ton of spaces] <cr>
>
> A curiosity about this, is that depending on how many spaces you send,
> can determine how many times it sends:
> 530 Please login with USER and PASS.
>
> inetnum: 212.188.128.0 - 212.188.159.255
> netname: SCREAMING-NET
> descr: Screaming Free ISP
> descr: Froglike ISP, used for Netlink dial customers
> descr: London
> descr: abuse / hacking reports to abuselocaltel.co.uk 

--

Bill Pennington
Senior IT Manager
Rocketcash
billprocketcash.com
http://www.rocketcash.com