|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Scan from 194.108.117.250
From: Koscheev Andrey (kosceev
ATLAS.CZ)Date: Sat Apr 01 2000 - 00:11:08 CST
- Next message: karthik krishnamurthy: "Re: rooted by r0x - from address 212.177.241.127"
- Previous message: anthony rubino: "admrocks foot prints"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
On a freshly configured server without any IP logging services I have seen
this:
08:46:52 www sshd[11512]: log: Connection from 194.108.117.250 port 2213
08:46:52 www sshd[11512]: fatal: Did not receive ident string.
08:47:35 www identd[11514]: Connection from taj15.cesnet.cz
08:47:35 www identd[11514]: from: 194.108.117.250 (taj15.cesnet.cz) EMPTY
REQUEST
08:47:36 www stunnel[11515]: smtp connected from 194.108.117.250:2358
08:47:36 www identd[11517]: Connection from localhost
08:47:36 www identd[11517]: from: 127.0.0.1 ( localhost ) for: 1538, 25
08:47:36 www sendmail[11516]: NOQUEUE: Null connection from rootlocalhost
[127.0.0.1]
08:47:37 www in.telnetd[11519]: connect from 194.108.117.250
08:47:37 www telnetd[11519]: ttloop: peer died: Success
08:47:40 www wu.ftpd[11520]: connect from 194.108.117.250
08:47:41 www ftpd[11520]: FTP session closed
08:47:45 www sendmail[11521]: NOQUEUE: Null connection from taj15.cesnet.cz
[194.108.117.250]
08:47:48 www in.pop3d[11522]: connect from 194.108.117.250
08:47:49 www imapd[11523]: connect from 194.108.117.250
08:47:50 www imapd[11523]: command stream end of file, while reading line
user=??? host=taj15.cesnet.cz [194.108.117.250]
08:47:51 www sshd[11524]: log: Connection from 194.108.117.250 port 3424
08:47:51 www sshd[11524]: fatal: Did not receive ident string.
08:47:53 www stunnel[11525]: pop3 connected from 194.108.117.250:3598
08:47:53 www identd[11527]: Connection from localhost
08:47:53 www identd[11527]: from: 127.0.0.1 ( localhost ) for: 1546, 110
08:47:53 www in.pop3d[11526]: connect from root127.0.0.1
08:48:57 www sshd[11529]: log: Connection from 194.108.117.250 port 1422
08:48:57 www sshd[11529]: fatal: Did not receive ident string.
Here the block ends end never repeats again, which make me think this was a
kind of a port scanner with known vulnerabilities probing.
The scan is only minute long so there is a little probability of "hand
work".
But the following part:
08:47:53 www identd[11527]: Connection from localhost
08:47:53 www identd[11527]: from: 127.0.0.1 ( localhost ) for: 1546, 110
really disappoints me.
Does anyone know this kind of attack/scan?
Did the server really responced to the scan and connected with attacker?
The adress is probably a dynamic ip on dial-up or so. It belongs to a well
known ISP. Server was not fully configured yet and doesn't provide any
services that whould interest a particular person. That's why I'm convinced
that was a site/IP range scan.
Thanks in advance
Andrey
- Next message: karthik krishnamurthy: "Re: rooted by r0x - from address 212.177.241.127"
- Previous message: anthony rubino: "admrocks foot prints"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]