('binary' encoding is not supported, stored as-is) Hi, I've been seeing, over the past week, a constant stream of odd connection attempts to two of my machines. The firewall logs show things like (where A,B,C,D are addresses in quite separate address spaces and X is the local machine): A:1200 X:41000 A:1200 X:41000 A:1200 X:41000 B:1340 X:41001 B:1340 X:41001 B:1340 X:41001 C:2100 X:41002C:2100 X:41002 C:2100 X:41002 D:1130 X:41003 D:1130 X:41003 D:1130 X:41003 (all TCP) ie we're receiving connection attempts from quite varied addresses (all types of uk dialup and adsl, the odd ac.uk and even some .edu) always to the same machine from random high ports to a monotonically increasing destination port. However, the destination port seems a bit of an odd one to be trying to connect to. I 'investigated' some of the connecting machines and what I can tell from those that were on static ips is that they are Windows machines (surprise!) running a whole gamete of services including netbios-ns, ldap and irc-serv as well as dns and http etc etc. And stateless firewalls. Basically, has anyone seen this sort of thing before? And if so what form of exploit is it attempting? It's all bouncing off the firewall atm and is pretty low traffic so I'm not overly concerned, just puzzled. Cheers, JB ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Jan 19 2002 - 12:21:02 PST