Denial of service attack on port 6667

From: vlimaat_private
Date: Thu Jul 12 2001 - 06:22:25 PDT

Next message: Rajeev Kumar: "Re: Weird UDP trafic"

Previous message: Scott Nursten: "Re: TCP Src 5635: what is it?"
Next in thread: John Marquart: "Re: Denial of service attack on port 6667"
Reply: John Marquart: "Re: Denial of service attack on port 6667"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi folks,

I've been monitoring this list for a long time, but this is my first post.
Bear with me if I dont provide enough information.

Last night i've noticed an unusual high amount of connections to my IRCD
server running on freebsd.  I first thought that it was normal as our max
number of connections was set at 20 and was fully used. I increased it to
50, and immediately all 50 allowed connections were taken.  Upon further
investigation, found the following types of port 6667 connections that is
unusually high for the type of irc service we run:

tcp4       0      0  server1.6667           145.253.166.229.64981
FIN_WAIT_2
tcp4       0      0  server1.6667           145.253.166.229.64980
FIN_WAIT_2
tcp4       0      0  server1.6667           145.253.166.229.64978
FIN_WAIT_2
tcp4       0      0  server1.6667           212.238.51.186.1090
FIN_WAIT_2
tcp4       0      0  server1.6667           62.227.41.47.1692
FIN_WAIT_2
tcp4       0      0  server1.6667           61.124.14.54.63861
FIN_WAIT_2
tcp4       0      0  server1.6667           24.14.155.186.13182
FIN_WAIT_2
tcp4       0      0  server1.6667           208.58.112.93.2511
FIN_WAIT_2
tcp4       0      0  server1.6667           24.19.240.186.1024
FIN_WAIT_2
tcp4       0      0  server1.6667           64.252.66.36.2139
FIN_WAIT_2
tcp4       0      0  server1.6667           141.154.121.202.1660
FIN_WAIT_2
tcp4       0      0  server1.6667           172.175.109.119.3227
FIN_WAIT_2
tcp4       0    153  server1.6667           24.70.114.239.1321
FIN_WAIT_1
tcp4       0      0  server1.6667           172.173.142.43.2283
FIN_WAIT_2
tcp4       0      0  server1.6667           208.58.112.93.2509
FIN_WAIT_2
tcp4       0      0  server1.6667           63.21.143.227.1164
FIN_WAIT_2
tcp4       0   1406  server1.6667           172.169.173.240.1028
FIN_WAIT_1

The above is just a short example.  My question is if there are any known
denial of service attacks on ircd at this moment? This box only runs
apache, ftp, qmail, and ircd. But I was seeing *many* more connections on
ports that should not be connecting (i.e. port scanning tip?). Is there any
vulnerability that is well known to "show up" upon a port scan on a freebsd
server? I run FreeBSD 4.1.1.

Thanks for the help,
Vinnie





----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Next message: Rajeev Kumar: "Re: Weird UDP trafic"
Previous message: Scott Nursten: "Re: TCP Src 5635: what is it?"
Next in thread: John Marquart: "Re: Denial of service attack on port 6667"
Reply: John Marquart: "Re: Denial of service attack on port 6667"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jul 12 2001 - 11:32:26 PDT