Em Fri, Jul 27, 2001 at 10:58:53PM +0200, Tom Laermans escreveu: > I'm seeing a lot of port 199 scans lately (very many the last week) .. Is > there some sort of news server exploit out? Or am I the only one seeing this? I saw a burst one specific day, then no more. Let me see... Yes, it was July 21st: (btw, DST is dynamic) (...) Jul 21 17:42:53 matro kernel: drop IN=ppp0 OUT= MAC= SRC=200.245.53.235 DST=200.181.137.51 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=18176 DF PROTO=TCP SPT=1039 DPT=119 WINDOW=8192 RES=0x00 SYN URGP=0 Jul 21 17:42:56 matro kernel: drop IN=ppp0 OUT= MAC= SRC=200.245.53.235 DST=200.181.137.51 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=28160 DF PROTO=TCP SPT=1039 DPT=119 WINDOW=8192 RES=0x00 SYN URGP=0 Jul 21 17:43:02 matro kernel: drop IN=ppp0 OUT= MAC= SRC=200.245.53.235 DST=200.181.137.51 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=55296 DF PROTO=TCP SPT=1039 DPT=119 WINDOW=8192 RES=0x00 SYN URGP=0 (...) and so on. Another source IP was 200.245.53.55, also on July 21st, same pattern. This probe was quite insistent, going on up to 9:00pm, even though I never sent a packet back. > I'm on ADSL with dynamic IP so I don't think they'd be targetting me > personally.. I don't run a newsserver... Same here. I then ran netcat on port 119 just to see what was going on, and caught "group comp.alt.virus" or something like that, can't remember right now, but certainly a "virus" newsgroup. I browser that group for a few minutes looking for something suspicious (like some sort of automated posting), but found nothing peculiar (but I certainly didn't see all messages there). ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Jul 29 2001 - 12:53:02 PDT