I have been receiving some very weird traffic on my Firewall within the last two days that are coming from non-routable IP's reserved by IANA. They did not get through the Firewall but I do not understand the intent behind it. Could it be a scan for reconnaissance purposes. Is it a type of OS-fingerprinting. Here are the logs below: April 16, Apr 16 11:33:16 gate1 kernel: securityalert: tcp if=eb0 from 10.1.2.1:25 to a.b.c.d on unserved port 4559 Apr 16 11:33:19 gate1 kernel: securityalert: tcp if=eb0 from 10.1.2.1:25 to a.b.c.d on unserved port 4559 Apr 16 11:33:26 gate1 kernel: securityalert: tcp if=eb0 from 10.1.2.1:25 to a.b.c.d on unserved port 4559 Apr 16 11:33:39 gate1 kernel: securityalert: tcp if=eb0 from 10.1.2.1:25 to a.b.c.d on unserved port 4559 Apr 16 11:34:04 gate1 kernel: securityalert: tcp if=eb0 from 10.1.2.1:25 to a.b.c.d on unserved port 4559 Apr 16 11:34:55 gate1 kernel: securityalert: tcp if=eb0 from 10.1.2.1:25 to a.b.c.d on unserved port 4559 April 17, Apr 17 10:58:16 gate1 kernel: securityalert: tcp if=eb0 from 223.0.0.43:25 to a.b.c.d on unserved port 2002 Apr 17 10:58:19 gate1 kernel: securityalert: tcp if=eb0 from 223.0.0.43:25 to a.b.c.d on unserved port 2002 Apr 17 10:58:25 gate1 kernel: securityalert: tcp if=eb0 from 223.0.0.43:25 to a.b.c.d on unserved port 2002 Apr 17 10:58:38 gate1 kernel: securityalert: tcp if=eb0 from 223.0.0.43:25 to a.b.c.d on unserved port 2002 Apr 17 10:59:04 gate1 kernel: securityalert: tcp if=eb0 from 223.0.0.43:25 to a.b.c.d on unserved port 2002 Apr 17 10:59:55 gate1 kernel: securityalert: tcp if=eb0 from 223.0.0.43:25 to a.b.c.d on unserved port 2002 Apr 17 11:00:55 gate1 kernel: securityalert: tcp if=eb0 from 223.0.0.43:25 to a.b.c.d on unserved port 2002 Apr 17 11:20:16 gate1 kernel: securityalert: tcp if=eb0 from 223.0.0.43:25 to a.b.c.d on unserved port 2314 Apr 17 11:20:19 gate1 kernel: securityalert: tcp if=eb0 from 223.0.0.43:25 to a.b.c.d on unserved port 2314 Apr 17 11:20:25 gate1 kernel: securityalert: tcp if=eb0 from 223.0.0.43:25 to a.b.c.d on unserved port 2314 Apr 17 11:20:38 gate1 kernel: securityalert: tcp if=eb0 from 223.0.0.43:25 to a.b.c.d on unserved port 2314 Apr 17 11:21:04 gate1 kernel: securityalert: tcp if=eb0 from 223.0.0.43:25 to a.b.c.d on unserved port 2314 Apr 17 11:21:55 gate1 kernel: securityalert: tcp if=eb0 from 223.0.0.43:25 to a.b.c.d on unserved port 2314 Apr 17 11:22:55 gate1 kernel: securityalert: tcp if=eb0 from 223.0.0.43:25 to a.b.c.d on unserved port 2314 Apr 17 18:04:16 gate1 kernel: securityalert: tcp if=eb0 from 223.0.0.43:25 to a.b.c.d on unserved port 3868 Apr 17 18:04:19 gate1 kernel: securityalert: tcp if=eb0 from 223.0.0.43:25 to a.b.c.d on unserved port 3868 Apr 17 18:04:26 gate1 kernel: securityalert: tcp if=eb0 from 223.0.0.43:25 to a.b.c.d on unserved port 3868 Apr 17 18:04:39 gate1 kernel: securityalert: tcp if=eb0 from 223.0.0.43:25 to a.b.c.d on unserved port 3868 Apr 17 18:05:04 gate1 kernel: securityalert: tcp if=eb0 from 223.0.0.43:25 to a.b.c.d on unserved port 3868 Apr 17 18:05:55 gate1 kernel: securityalert: tcp if=eb0 from 223.0.0.43:25 to a.b.c.d on unserved port 3868 Apr 17 18:06:55 gate1 kernel: securityalert: tcp if=eb0 from 223.0.0.43:25 to a.b.c.d on unserved port 3868 I know it's from the same attacker using the same type of automated tool; but I don't understand the intent; and Why SMTP? If anybody else has seen this or if you have seen this activity and have some insight on it, I would appreciate the info. Thanks all. Eric
This archive was generated by hypermail 2b30 : Wed Apr 18 2001 - 08:32:26 PDT