LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] port scanning.. continued.

[ILUG] port scanning.. continued.

Donncha O Caoimh donncha.ocaoimh at tradesignals.com
Tue Mar 14 11:45:27 GMT 2000 

To further add fuel to the fire.. here's some more interesting stuff:
Mar 12 03:28:47 mail portsentry[7764]: attackalert: Unknown Type: Packet
Flags: SYN: 1 FIN: 1 ACK: 0 PSH: 0 URG: 0 RST: 0 from host:
samantha.craghe
ad.com/216.15.159.194 to TCP port: 109
Mar 12 03:28:47 mail portsentry[7764]: attackalert: Host 216.15.159.194
has been blocked via wrappers with string: "ALL: 216.15.159.194"
Mar 12 03:28:47 mail portsentry[7764]: attackalert: Host 216.15.159.194
has been blocked via dropped route using command: "/sbin/ipfwadm -I -i
deny 
-S 216.15.159.194 -o"
Mar 12 03:28:48 mail portsentry[7764]: attackalert: Unknown Type: Packet
Flags: SYN: 1 FIN: 1 ACK: 0 PSH: 0 URG: 0 RST: 0 from host:
samantha.craghe
ad.com/216.15.159.194 to TCP port: 109
Mar 12 03:28:48 mail portsentry[7764]: attackalert: Host:
samantha.craghead.com/216.15.159.194 is already blocked Ignoring
Mar 12 03:28:48 mail portsentry[7764]: attackalert: Unknown Type: Packet
Flags: SYN: 1 FIN: 1 ACK: 0 PSH: 0 URG: 0 RST: 0 from host:
samantha.craghe
ad.com/216.15.159.194 to TCP port: 109
Mar 12 03:28:48 mail portsentry[7764]: attackalert: Host:
samantha.craghead.com/216.15.159.194 is already blocked Ignoring
Mar 12 03:28:48 mail portsentry[7764]: attackalert: Unknown Type: Packet
Flags: SYN: 1 FIN: 1 ACK: 0 PSH: 0 URG: 0 RST: 0 from host:
samantha.craghe
ad.com/216.15.159.194 to TCP port: 109
Mar 12 03:28:48 mail portsentry[7764]: attackalert: Host:
samantha.craghead.com/216.15.159.194 is already blocked Ignoring
Mar 12 03:28:48 mail portsentry[7764]: attackalert: Unknown Type: Packet
Flags: SYN: 1 FIN: 1 ACK: 0 PSH: 0 URG: 0 RST: 0 from host:
samantha.craghe
ad.com/216.15.159.194 to TCP port: 109
Mar 12 03:28:48 mail portsentry[7764]: attackalert: Host:
samantha.craghead.com/216.15.159.194 is already blocked Ignoring

and a few minutes later, from an internal box running RH 6.1:
Mar 12 03:52:30 mail kernel: Warning: possible SYN flood from
192.168.1.7 on 192.168.1.1:823.  Sending cookies.
which was the last message until syslog was restarted 30 minutes later
via crontab/logrotate. (suspicious?)

hmm.. from /etc/services, port 109 is 
pop-2       109/tcp     postoffice  # POP version 2


Donncha.

Sascha Lucky Luck wrote:
> 
> Thus spoke Dave Airlie:
> > you sure about that? a web-server initating a connection wou,d not use
> > port 80,,  IMHO .. it would have done an accept and listen or other way
> > around on port 80 waiting for new connects, why would it start one from
> > it?
> 
> It's a 'back' connection - it should have been originated from Donncha's
> box.

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell