Hi. I've just been scanned from a server.fseweb.com, IP 211.123.77.226, a host which belongs to the so-called "FSE-SYSTEM", which is located in Japan. It seems that the intruder looked for some ftp vulnerability, and when blocked by ipchains he crafted some SYN FIN packets to do the job, and then caught by snort. The whole process was too fast not to be a script. There's no abuse or any other email address one can turn to on that company but I sent a note to the Japan Network Information System, an ISP which owns that IP apparently. Anyone else received this pattern of scanning, or anything else from that IP ? (FSE-SYSTEM reside on IP 211.123.77.224 through .239). Here are the logs: Jun 7 23:45:54 gandalf kernel: Packet log: ppp-in - ppp0 PROTO=6 211.123.77.226:21 62.0.80.70:21 L=40 S=0x20 I=39426 F=0x0000 T=10 SYN (#13) Jun 7 23:45:54 gandalf kernel: Packet log: ppp-in - ppp0 PROTO=6 211.123.77.226:21 62.0.80.70:21 L=40 S=0x20 I=39426 F=0x0000 T=10 SYN (#13) Jun 7 23:45:54 211.123.77.226:21 -> 62.0.80.70:21 SYNFIN ******SF [**] SCAN SYN FIN [**] 06/07-23:45:54.886906 211.123.77.226:21 -> 62.0.80.70:21 TCP TTL:10 TOS:0x20 ID:39426 IpLen:20 DgmLen:40 ******SF Seq: 0x1312DBBE Ack: 0x43512BF7 Win: 0x404 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+= any other comments would be highly appreciated. centipede.
This archive was generated by hypermail 2b30 : Thu Jun 07 2001 - 16:58:20 PDT