I have seen some similar scans recently but unfortunately it is on a net that we don't run IDS on (well, we do "technically" - but we don't let anything in there :)) Apr 24 19:07:48 edge1-th 147637: 4w6d: %SEC-6-IPACCESSLOGP: list 103 denied tcp 203.232.4.4(21) -> x.x.x.76(21), 1 packet Apr 24 19:07:58 edge1-th 147640: 4w6d: %SEC-6-IPACCESSLOGP: list 103 denied tcp 203.232.4.4(109) -> x.x.x.76(109), 1 packet Apr 24 19:08:13 edge1-th 147642: 4w6d: %SEC-6-IPACCESSLOGP: list 103 denied tcp 203.232.4.4(111) -> x.x.x.76(111), 1 packet As you can see, this is from the same host but doing 21,109,111 as opposed to you 53,109,111. Possibly they are looking for the (few if any) remaining POP2 boxes out there. Does anyone use POP2 anymore? It's listed as a historic protocol in the Internet Official Protocols Standard (http://www.faqs.org/rfcs/rfc2700.html). Rgds, Scott Nursten buschermannat_private wrote: > > Hi all, > yesterday we received a scan for ports 53, 109 and 111 with the synscantool > from one ip for about one minute. > Port 53 and 111 are the wellknown vulnerabilities of bind-daemon and > rpc.statd but what is 109 for? > I know itīs pop2 but i canīt remember any exploits lately besides > > http://www.securityfocus.com/vdb/?id=283 > > and this is old news. > > Has anyone received similar scans in the last time? > Could this be a new variant of any of the latest worms? > Could this be a simple synscan-scan where old and newer vulnerabilities > have been mixed? > > regards > axel > > Times are MEST > --snip-- > > [**] spp_portscan: PORTSCAN DETECTED from 203.232.4.4 (STEALTH) [**] > 04/24-17:21:10.724734 > [**] IDS441 - SCAN - Synscan Portscan [**] > 04/24-17:21:10.724083 203.232.4.4:109 -> x.x.x.68:109 > TCP TTL:26 TOS:0x0 ID:39426 IpLen:20 DgmLen:40 > ******SF Seq: 0x6D4C2D68 Ack: 0x50D8DCC2 Win: 0x404 TcpLen: 20 > > [**] spp_portscan: portscan status from 203.232.4.4: 2 connections across 1 > hosts: TCP(2), UDP(0) STEALTH [**] > 04/24-17:21:25.979399 > [**] IDS441 - SCAN - Synscan Portscan [**] > 04/24-17:21:25.962330 203.232.4.4:111 -> x.x.x.68:111 > TCP TTL:26 TOS:0x0 ID:39426 IpLen:20 DgmLen:40 > ******SF Seq: 0x5D276564 Ack: 0x29976377 Win: 0x404 TcpLen: 20 > > [**] spp_portscan: portscan status from 203.232.4.4: 1 connections across 1 > hosts: TCP(1), UDP(0) STEALTH [**] > 04/24-17:22:08.367210 > [**] IDS441 - SCAN - Synscan Portscan [**] > 04/24-17:22:08.366514 203.232.4.4:53 -> x.x.x.68:53 > TCP TTL:26 TOS:0x0 ID:39426 IpLen:20 DgmLen:40 > ******SF Seq: 0x23DC50AF Ack: 0x167205BA Win: 0x404 TcpLen: 20 > > [**] spp_portscan: End of portscan from 203.232.4.4: TOTAL time(58s) > hosts(1) TCP(3) UDP(0) STEALTH [**] > 04/24-17:25:20.680558 > > ---snip--- > > -- > GMX - Die Kommunikationsplattform im Internet. > http://www.gmx.net -- Scott Nursten - Systems Administrator Streets Online Ltd. Business: +44 (0) 1293 402 040 Fax: +44 (0) 1293 402 050 Email: scottnat_private ----------------------------------------------------------------------- "Unix is user friendly. It's just selective when choosing friends." -----------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Apr 25 2001 - 12:21:47 PDT