Port 113 requests?

From: Michael Ward (Mward@roseglen.com)
Date: 12/06/01


Date: Thu, 6 Dec 2001 13:51:57 -0500
From: "Michael Ward" <Mward@roseglen.com>
To: <incidents@securityfocus.com>

I have been receiving the following entries at my firewall for since
noon US Eastern Time (-5:00) on 12/4/01.

They have been coming every 15 minutes since then. I notified the owner
of the IP's and he hasn't responded yet.

Does anyone recognize this and could possibly fill me in on some
theories...

(Note: I have edited out source and dest. IP info) I just want to know
if anyone recognizes the pattern...

12/04/2001 11:59:30.336 - TCP connection dropped -
Source:mail.domain-i-edited.com, 40454, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/04/2001 12:00:52.832 - TCP connection dropped -
Source:nat24.domain-i-edited.com, 3102, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/04/2001 12:01:54.032 - TCP connection dropped -
Source:mail.domain-i-edited.com, 41027, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/04/2001 12:12:16.256 - TCP connection dropped -
Source:mail.domain-i-edited.com, 43335, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/04/2001 12:22:54.128 - TCP connection dropped -
Source:mail.domain-i-edited.com, 45612, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/04/2001 12:22:54.736 - TCP connection dropped -
Source:nat24.domain-i-edited.com, 3323, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

and then it seemed to break up into 15 minute increments.... we'll
continue a few hours later to save space..

12/04/2001 20:32:41.880 - TCP connection dropped -
Source:mail.domain-i-edited.com, 41648, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/04/2001 20:47:53.128 - TCP connection dropped -
Source:mail.domain-i-edited.com, 46169, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

so on and so forth... every fifteen minutes...

12/05/2001 07:24:42.752 - TCP connection dropped -
Source:mail.domain-i-edited.com, 39828, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 07:24:43.080 - TCP connection dropped -
Source:nat24.domain-i-edited.com, 3865, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 07:40:09.544 - TCP connection dropped -
Source:mail.domain-i-edited.com, 42777, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 07:55:31.320 - TCP connection dropped -
Source:mail.domain-i-edited.com, 45697, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 08:10:52.560 - TCP connection dropped -
Source:mail.domain-i-edited.com, 48479, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 08:10:52.848 - TCP connection dropped -
Source:nat24.domain-i-edited.com, 4570, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 08:25:53.160 - TCP connection dropped -
Source:mail.domain-i-edited.com, 51350, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 08:41:15.896 - TCP connection dropped -
Source:mail.domain-i-edited.com, 54279, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 08:41:16.288 - TCP connection dropped -
Source:nat24.domain-i-edited.com, 4925, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 08:56:21.000 - TCP connection dropped -
Source:mail.domain-i-edited.com, 57035, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 08:56:21.272 - TCP connection dropped -
Source:nat24.domain-i-edited.com, 1138, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 09:11:26.288 - TCP connection dropped -
Source:mail.domain-i-edited.com, 59912, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 09:11:26.576 - TCP connection dropped -
Source:nat24.domain-i-edited.com, 1351, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 09:26:27.944 - TCP connection dropped -
Source:mail.domain-i-edited.com, 34476, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 09:26:28.256 - TCP connection dropped -
Source:nat24.domain-i-edited.com, 1527, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 09:41:30.400 - TCP connection dropped -
Source:mail.domain-i-edited.com, 37415, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

12/05/2001 09:41:30.768 - TCP connection dropped -
Source:nat24.domain-i-edited.com, 1775, WAN -
Destination:my.mail.server, 113, LAN - 'Authentication' - Rule 32

continuing as I send this....

Thanks,

Michael Ward
             

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com