Hi folks, I've been monitoring this list for a long time, but this is my first post. Bear with me if I dont provide enough information. Last night i've noticed an unusual high amount of connections to my IRCD server running on freebsd. I first thought that it was normal as our max number of connections was set at 20 and was fully used. I increased it to 50, and immediately all 50 allowed connections were taken. Upon further investigation, found the following types of port 6667 connections that is unusually high for the type of irc service we run: tcp4 0 0 server1.6667 145.253.166.229.64981 FIN_WAIT_2 tcp4 0 0 server1.6667 145.253.166.229.64980 FIN_WAIT_2 tcp4 0 0 server1.6667 145.253.166.229.64978 FIN_WAIT_2 tcp4 0 0 server1.6667 212.238.51.186.1090 FIN_WAIT_2 tcp4 0 0 server1.6667 62.227.41.47.1692 FIN_WAIT_2 tcp4 0 0 server1.6667 61.124.14.54.63861 FIN_WAIT_2 tcp4 0 0 server1.6667 24.14.155.186.13182 FIN_WAIT_2 tcp4 0 0 server1.6667 208.58.112.93.2511 FIN_WAIT_2 tcp4 0 0 server1.6667 24.19.240.186.1024 FIN_WAIT_2 tcp4 0 0 server1.6667 64.252.66.36.2139 FIN_WAIT_2 tcp4 0 0 server1.6667 141.154.121.202.1660 FIN_WAIT_2 tcp4 0 0 server1.6667 172.175.109.119.3227 FIN_WAIT_2 tcp4 0 153 server1.6667 24.70.114.239.1321 FIN_WAIT_1 tcp4 0 0 server1.6667 172.173.142.43.2283 FIN_WAIT_2 tcp4 0 0 server1.6667 208.58.112.93.2509 FIN_WAIT_2 tcp4 0 0 server1.6667 63.21.143.227.1164 FIN_WAIT_2 tcp4 0 1406 server1.6667 172.169.173.240.1028 FIN_WAIT_1 The above is just a short example. My question is if there are any known denial of service attacks on ircd at this moment? This box only runs apache, ftp, qmail, and ircd. But I was seeing *many* more connections on ports that should not be connecting (i.e. port scanning tip?). Is there any vulnerability that is well known to "show up" upon a port scan on a freebsd server? I run FreeBSD 4.1.1. Thanks for the help, Vinnie ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 12 2001 - 11:32:26 PDT