Hello John, Have you looked into whether your host X is advertising a service on the ports in question? A game server or some such. Also what is the timing between packets from a given host? How about between different host's attempts? Does that vary or is it fairly consistent? Does a source address repeat itself? If so, is there a pattern in the source ports used? Is there any patterns in the source ports used by the different sources? Regards, Jim At 6:37 PM +0000 1/19/02, John Bland wrote: >Hi, > >I've been seeing, over the past week, a constant >stream of odd connection attempts to two of my >machines. The firewall logs show things like >(where A,B,C,D are addresses in quite separate >address spaces and X is the local machine): > >A:1200 X:41000 >A:1200 X:41000 >A:1200 X:41000 >B:1340 X:41001 >B:1340 X:41001 >B:1340 X:41001 >C:2100 X:41002C:2100 X:41002 >C:2100 X:41002 >D:1130 X:41003 >D:1130 X:41003 >D:1130 X:41003 >(all TCP) > >ie we're receiving connection attempts from quite >varied addresses (all types of uk dialup and adsl, >the odd ac.uk and even some .edu) always to the >same machine from random high ports to a >monotonically increasing destination port. >However, the destination port seems a bit of an >odd one to be trying to connect to. > >I 'investigated' some of the connecting machines >and what I can tell from those that were on static >ips is that they are Windows machines (surprise!) >running a whole gamete of services including >netbios-ns, ldap and irc-serv as well as dns and >http etc etc. And stateless firewalls. > >Basically, has anyone seen this sort of thing >before? And if so what form of exploit is it >attempting? It's all bouncing off the firewall atm >and is pretty low traffic so I'm not overly >concerned, just puzzled. > >Cheers, > JB > >---------------------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com -- |* Jim Hoagland, Associate Researcher, Silicon Defense *| |* --- Silicon Defense: IDS Solutions --- *| |* hoaglandat_private, http://www.silicondefense.com/ *| |* Voice: (530) 756-7317 Fax: (530) 756-7297 *| ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jan 25 2002 - 10:46:00 PST