Re: Port 119 Scans

From: Andreas Hasenack (andreasat_private)
Date: Sun Jul 29 2001 - 11:18:52 PDT

  • Next message: Jason Robertson: "Unusual IIS decode requests"

    Em Fri, Jul 27, 2001 at 10:58:53PM +0200, Tom Laermans escreveu:
    > I'm seeing a lot of port 199 scans lately (very many the last week) .. Is 
    > there some sort of news server exploit out? Or am I the only one seeing this?
    
    I saw a burst one specific day, then no more. Let me see...
    Yes, it was July 21st:
    
    (btw, DST is dynamic)
    
    (...)
    Jul 21 17:42:53 matro kernel: drop IN=ppp0 OUT= MAC= SRC=200.245.53.235 DST=200.181.137.51 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=18176 DF PROTO=TCP SPT=1039 DPT=119 WINDOW=8192 
    RES=0x00 SYN URGP=0 
    Jul 21 17:42:56 matro kernel: drop IN=ppp0 OUT= MAC= SRC=200.245.53.235 DST=200.181.137.51 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=28160 DF PROTO=TCP SPT=1039 DPT=119 WINDOW=8192 
    RES=0x00 SYN URGP=0 
    Jul 21 17:43:02 matro kernel: drop IN=ppp0 OUT= MAC= SRC=200.245.53.235 DST=200.181.137.51 LEN=48 TOS=0x00 PREC=0x00 TTL=120 ID=55296 DF PROTO=TCP SPT=1039 DPT=119 WINDOW=8192 
    RES=0x00 SYN URGP=0 
    (...)
    and so on.
    Another source IP was 200.245.53.55, also on July 21st, same pattern.
    
    This probe was quite insistent, going on up to 9:00pm, even though I never sent a packet
    back.
    
    > I'm on ADSL with dynamic IP so I don't think they'd be targetting me 
    > personally.. I don't run a newsserver...
    
    Same here. I then ran netcat on port 119 just to see what was going on, and
    caught "group comp.alt.virus" or something like that, can't remember
    right now, but certainly a "virus" newsgroup. I browser that group for a 
    few minutes looking for something suspicious (like some sort of 
    automated posting), but found nothing peculiar (but I certainly didn't 
    see all messages there).
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sun Jul 29 2001 - 12:53:02 PDT