Denial of service attack on port 6667

From: vlimaat_private
Date: Thu Jul 12 2001 - 06:22:25 PDT

  • Next message: Rajeev Kumar: "Re: Weird UDP trafic"

    Hi folks,
    
    I've been monitoring this list for a long time, but this is my first post.
    Bear with me if I dont provide enough information.
    
    Last night i've noticed an unusual high amount of connections to my IRCD
    server running on freebsd.  I first thought that it was normal as our max
    number of connections was set at 20 and was fully used. I increased it to
    50, and immediately all 50 allowed connections were taken.  Upon further
    investigation, found the following types of port 6667 connections that is
    unusually high for the type of irc service we run:
    
    tcp4       0      0  server1.6667           145.253.166.229.64981
    FIN_WAIT_2
    tcp4       0      0  server1.6667           145.253.166.229.64980
    FIN_WAIT_2
    tcp4       0      0  server1.6667           145.253.166.229.64978
    FIN_WAIT_2
    tcp4       0      0  server1.6667           212.238.51.186.1090
    FIN_WAIT_2
    tcp4       0      0  server1.6667           62.227.41.47.1692
    FIN_WAIT_2
    tcp4       0      0  server1.6667           61.124.14.54.63861
    FIN_WAIT_2
    tcp4       0      0  server1.6667           24.14.155.186.13182
    FIN_WAIT_2
    tcp4       0      0  server1.6667           208.58.112.93.2511
    FIN_WAIT_2
    tcp4       0      0  server1.6667           24.19.240.186.1024
    FIN_WAIT_2
    tcp4       0      0  server1.6667           64.252.66.36.2139
    FIN_WAIT_2
    tcp4       0      0  server1.6667           141.154.121.202.1660
    FIN_WAIT_2
    tcp4       0      0  server1.6667           172.175.109.119.3227
    FIN_WAIT_2
    tcp4       0    153  server1.6667           24.70.114.239.1321
    FIN_WAIT_1
    tcp4       0      0  server1.6667           172.173.142.43.2283
    FIN_WAIT_2
    tcp4       0      0  server1.6667           208.58.112.93.2509
    FIN_WAIT_2
    tcp4       0      0  server1.6667           63.21.143.227.1164
    FIN_WAIT_2
    tcp4       0   1406  server1.6667           172.169.173.240.1028
    FIN_WAIT_1
    
    The above is just a short example.  My question is if there are any known
    denial of service attacks on ircd at this moment? This box only runs
    apache, ftp, qmail, and ircd. But I was seeing *many* more connections on
    ports that should not be connecting (i.e. port scanning tip?). Is there any
    vulnerability that is well known to "show up" upon a port scan on a freebsd
    server? I run FreeBSD 4.1.1.
    
    Thanks for the help,
    Vinnie
    
    
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jul 12 2001 - 11:32:26 PDT