Re: Odd connection attempts from many addresses
From: James Hoagland (hoagland@SiliconDefense.com)Date: 01/25/02
- Previous message: Frank de Lange: "Re: Odd string in packet..."
- In reply to: John Bland: "Odd connection attempts from many addresses"
- Next in thread: John Bland: "Re: Odd connection attempts from many addresses"
- Reply: John Bland: "Re: Odd connection attempts from many addresses"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 25 Jan 2002 09:27:20 -0800 To: John Bland <shrike@cmp.liv.ac.uk>, incidents@securityfocus.com From: James Hoagland <hoagland@SiliconDefense.com>
Hello John,
Have you looked into whether your host X is advertising a service on
the ports in question? A game server or some such.
Also what is the timing between packets from a given host? How about
between different host's attempts? Does that vary or is it fairly
consistent?
Does a source address repeat itself? If so, is there a pattern in
the source ports used? Is there any patterns in the source ports
used by the different sources?
Regards,
Jim
At 6:37 PM +0000 1/19/02, John Bland wrote:
>Hi,
>
>I've been seeing, over the past week, a constant
>stream of odd connection attempts to two of my
>machines. The firewall logs show things like
>(where A,B,C,D are addresses in quite separate
>address spaces and X is the local machine):
>
>A:1200 X:41000
>A:1200 X:41000
>A:1200 X:41000
>B:1340 X:41001
>B:1340 X:41001
>B:1340 X:41001
>C:2100 X:41002C:2100 X:41002
>C:2100 X:41002
>D:1130 X:41003
>D:1130 X:41003
>D:1130 X:41003
>(all TCP)
>
>ie we're receiving connection attempts from quite
>varied addresses (all types of uk dialup and adsl,
>the odd ac.uk and even some .edu) always to the
>same machine from random high ports to a
>monotonically increasing destination port.
>However, the destination port seems a bit of an
>odd one to be trying to connect to.
>
>I 'investigated' some of the connecting machines
>and what I can tell from those that were on static
>ips is that they are Windows machines (surprise!)
>running a whole gamete of services including
>netbios-ns, ldap and irc-serv as well as dns and
>http etc etc. And stateless firewalls.
>
>Basically, has anyone seen this sort of thing
>before? And if so what form of exploit is it
>attempting? It's all bouncing off the firewall atm
>and is pretty low traffic so I'm not overly
>concerned, just puzzled.
>
>Cheers,
> JB
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management
>and tracking system please see: http://aris.securityfocus.com
-- |* Jim Hoagland, Associate Researcher, Silicon Defense *| |* --- Silicon Defense: IDS Solutions --- *| |* hoagland@SiliconDefense.com, http://www.silicondefense.com/ *| |* Voice: (530) 756-7317 Fax: (530) 756-7297 *|---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Previous message: Frank de Lange: "Re: Odd string in packet..."
- In reply to: John Bland: "Odd connection attempts from many addresses"
- Next in thread: John Bland: "Re: Odd connection attempts from many addresses"
- Reply: John Bland: "Re: Odd connection attempts from many addresses"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
