RE: [Leaf-user] [chatter] Flurry of probes to ports 111 and 515?

Thu, 28 Jun 2001 15:58:26 -0700 

On Thu, 28 Jun 2001, Billy Jacobs wrote:

> I have been seeing the same thing as of late.  Just went through my
> email reports, and it seems like I am getting hit mostly from the
> following addresses on ports 111 and 515:
> 
> (sorted / uniq-ed)
> 24.93.164.129:2555 ---> my.ip.add.ress:111

a1-1e129.neo.rr.com, seems to be running a firewall

> 61.129.68.18:2913 ---> my.ip.add.ress:111

unnamed at .online.sh.cn (China)

> 61.159.62.12:51511 ---> my.ip.add.ress:111

unnamed at .he.cninfo.net (China)

> 64.123.230.249:35479 ---> my.ip.add.ress:515

adsl-64-123-230-249.dsl.kscymo.swbell.net, running RedHat

> 64.148.162.98:3717 ---> my.ip.add.ress:111

aol ip number

> 195.184.229.251:1857 ---> my.ip.add.ress:515

get2.freewire.net, RedHat

> 203.81.32.127:3145 ---> my.ip.add.ress:515

love127.idc.pacific.net.sg  (Singapore, no response)

> 206.136.197.156:2448 ---> my.ip.add.ress:515

somewhere in epresence.com ... no response

> 211.216.48.93:4513 ---> my.ip.add.ress:111

somewhere in nic.or.kr (Korea), redhat 6.2, telnet enabled
(possibly cracked)

> 211.54.94.250:4192 ---> my.ip.add.ress:111

somewhere in nic.or.kr (Koriea), "Cyber Village Korea Test Mail Server"
probably cracked

> 216.98.128.83:1026 ---> my.ip.add.ress:111

streamer.aspadmin.com, running webserver redirected to itself 

> 
> During these reports my lease on my eth0 (WAN) card was renewed with a
> new IP, so its more obvious now that its some kind of scan, and not a
> targetted attack.
> 
> I also got a strange attack yesterday, couldn't find anything on it on
> securityfocus.  It was about 40 packets per second at peak, lasting
> about 5-10 minutes from a (I guess) spoofed address:
> 
> 192.168.0.251:5 ---> my.ip.add.ress:1
> 
> Source port and destination port remained 5 and 1 (respectively)
> throughout the entire scan.  Anyone know what kind of probe/attack this
> might be?  

I think you need to look more closely at the protocol... this is probably
not a tcp connection, and the "port" numbers are misinterpreted, and the
actual header layout would need to be compared with tcp to identify what
those port numbers mean.

[...]

---------------------------------------------------------------------------
Jeff Newmiller                        The     .....       .....  Go Live...
DCN:<[EMAIL PROTECTED]>        Basics: ##.#.       ##.#.  Live Go...
                                      Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/Batteries            O.O#.       #.O#.  with
/Software/Embedded Controllers)               .OO#.       .OO#.  rocks...2k
---------------------------------------------------------------------------


_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user

Reply via email to