Port 113 requests?

From: Michael Ward (Mward@roseglen.com)
Date: 12/06/01


Date: Thu, 6 Dec 2001 13:51:57 -0500
From: "Michael Ward" <Mward@roseglen.com>
To: <incidents@securityfocus.com>

I have been receiving the following entries at my firewall for since
noon US Eastern Time (-5:00) on 12/4/01.

They have been coming every 15 minutes since then. I notified the owner
of the IP's and he hasn't responded yet.

Does anyone recognize this and could possibly fill me in on some
theories...

(Note: I have edited out source and dest. IP info) I just want to know
if anyone recognizes the pattern...

12/04/2001 11:59:30.336 - TCP connection dropped -
Source:mail.domain-i-edited.com, 40454, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/04/2001 12:00:52.832 - TCP connection dropped -
Source:nat24.domain-i-edited.com, 3102, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/04/2001 12:01:54.032 - TCP connection dropped -
Source:mail.domain-i-edited.com, 41027, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/04/2001 12:12:16.256 - TCP connection dropped -
Source:mail.domain-i-edited.com, 43335, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/04/2001 12:22:54.128 - TCP connection dropped -
Source:mail.domain-i-edited.com, 45612, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/04/2001 12:22:54.736 - TCP connection dropped -
Source:nat24.domain-i-edited.com, 3323, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

and then it seemed to break up into 15 minute increments.... we'll
continue a few hours later to save space..

12/04/2001 20:32:41.880 - TCP connection dropped -
Source:mail.domain-i-edited.com, 41648, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/04/2001 20:47:53.128 - TCP connection dropped -
Source:mail.domain-i-edited.com, 46169, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

so on and so forth... every fifteen minutes...

12/05/2001 07:24:42.752 - TCP connection dropped -
Source:mail.domain-i-edited.com, 39828, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 07:24:43.080 - TCP connection dropped -
Source:nat24.domain-i-edited.com, 3865, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 07:40:09.544 - TCP connection dropped -
Source:mail.domain-i-edited.com, 42777, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 07:55:31.320 - TCP connection dropped -
Source:mail.domain-i-edited.com, 45697, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 08:10:52.560 - TCP connection dropped -
Source:mail.domain-i-edited.com, 48479, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 08:10:52.848 - TCP connection dropped -
Source:nat24.domain-i-edited.com, 4570, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 08:25:53.160 - TCP connection dropped -
Source:mail.domain-i-edited.com, 51350, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 08:41:15.896 - TCP connection dropped -
Source:mail.domain-i-edited.com, 54279, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 08:41:16.288 - TCP connection dropped -
Source:nat24.domain-i-edited.com, 4925, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 08:56:21.000 - TCP connection dropped -
Source:mail.domain-i-edited.com, 57035, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 08:56:21.272 - TCP connection dropped -
Source:nat24.domain-i-edited.com, 1138, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 09:11:26.288 - TCP connection dropped -
Source:mail.domain-i-edited.com, 59912, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 09:11:26.576 - TCP connection dropped -
Source:nat24.domain-i-edited.com, 1351, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 09:26:27.944 - TCP connection dropped -
Source:mail.domain-i-edited.com, 34476, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 09:26:28.256 - TCP connection dropped -
Source:nat24.domain-i-edited.com, 1527, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 09:41:30.400 - TCP connection dropped -
Source:mail.domain-i-edited.com, 37415, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 09:41:30.768 - TCP connection dropped -
Source:nat24.domain-i-edited.com, 1775, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

continuing as I send this....

Thanks,

Michael Ward
             

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: Zyxel ZyWall 10 router MADNESS
    ... Firewall is turned off. ... 192.168.0.10-12 LAN mapped to IPs 192.168.1.10-12 WAN ... No port forwarding is configured (you don't need it if you are mapping ... There is a router on the network at 192.168.1.2 for outside access (but ...
    (comp.security.firewalls)
  • Re: Zyxel ZyWall 10 router MADNESS
    ... >Firewall is turned off. ... >verified with 100% certainty that remote management was still enabled. ... I made certain that the packets on all interface directions (Wan ... >set the router to not use NAT at all, but the extra layer of security NAT ...
    (comp.security.firewalls)
  • Re: Zyxel ZyWall 10 router MADNESS
    ... > Firewall is turned off. ... > mode, ALL WAN access to the router is completely disabled (no pinging, no ... > verified with 100% certainty that remote management was still enabled. ... > set the router to not use NAT at all, but the extra layer of security NAT ...
    (comp.security.firewalls)
  • Re: ISA and Separating Networks
    ... I would not recommend attempting to use your SBS to provide network management in this fashion. ... does the cable that goes into his WAN link come from? ... of the cisco router. ... the WAN side of that firewall. ...
    (microsoft.public.backoffice.smallbiz2000)
  • VoIP mit Firewall DWL-200 von Dlink
    ... Gott sei Dank habe ich mich lange mit meiner Linux Firewall ... Dies habe ich unter LAN -> WAN getan. ... Prev by Date: ... Next by Date: ...
    (de.comp.security.firewall)