Odd connection attempts from many addresses

From: John Bland (shrikeat_private)
Date: Sat Jan 19 2002 - 10:37:51 PST

  • Next message: Russell Fulton: "dtspcd compromises"

    
     ('binary' encoding is not supported, stored as-is)
    Hi,
    
    I've been seeing, over the past week, a constant
    stream of odd connection attempts to two of my
    machines. The firewall logs show things like
    (where A,B,C,D are addresses in quite separate
    address spaces and X is the local machine):
    
    A:1200  X:41000
    A:1200  X:41000
    A:1200  X:41000
    B:1340  X:41001
    B:1340  X:41001
    B:1340  X:41001
    C:2100  X:41002C:2100  X:41002
    C:2100  X:41002
    D:1130  X:41003
    D:1130  X:41003
    D:1130  X:41003
    (all TCP)
    
    ie we're receiving connection attempts from quite
    varied addresses (all types of uk dialup and adsl,
    the odd ac.uk and even some .edu) always to the
    same machine from random high ports to a
    monotonically increasing destination port.
    However, the destination port seems a bit of an
    odd one to be trying to connect to.
    
    I 'investigated' some of the connecting machines
    and what I can tell from those that were on static
    ips is that they are Windows machines (surprise!)
    running a whole gamete of services including
    netbios-ns, ldap and irc-serv as well as dns and
    http etc etc. And stateless firewalls.
    
    Basically, has anyone seen this sort of thing
    before? And if so what form of exploit is it
    attempting? It's all bouncing off the firewall atm
    and is pretty low traffic so I'm not overly
    concerned, just puzzled.
    
    Cheers,
                   JB
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Sat Jan 19 2002 - 12:21:02 PST