Re: Odd connection attempts from many addresses

From: James Hoagland (hoaglandat_private)
Date: Fri Jan 25 2002 - 09:27:20 PST

  • Next message: John Bland: "Re: Odd connection attempts from many addresses"

    Hello John,
    
    Have you looked into whether your host X is advertising a service on 
    the ports in question?  A game server or some such.
    
    Also what is the timing between packets from a given host?  How about 
    between different host's attempts?  Does that vary or is it fairly 
    consistent?
    
    Does a source address repeat itself?  If so, is there a pattern in 
    the source ports used?  Is there any patterns in the source ports 
    used by the different sources?
    
    Regards,
    
       Jim
    
    At 6:37 PM +0000 1/19/02, John Bland wrote:
    >Hi,
    >
    >I've been seeing, over the past week, a constant
    >stream of odd connection attempts to two of my
    >machines. The firewall logs show things like
    >(where A,B,C,D are addresses in quite separate
    >address spaces and X is the local machine):
    >
    >A:1200  X:41000
    >A:1200  X:41000
    >A:1200  X:41000
    >B:1340  X:41001
    >B:1340  X:41001
    >B:1340  X:41001
    >C:2100  X:41002C:2100  X:41002
    >C:2100  X:41002
    >D:1130  X:41003
    >D:1130  X:41003
    >D:1130  X:41003
    >(all TCP)
    >
    >ie we're receiving connection attempts from quite
    >varied addresses (all types of uk dialup and adsl,
    >the odd ac.uk and even some .edu) always to the
    >same machine from random high ports to a
    >monotonically increasing destination port.
    >However, the destination port seems a bit of an
    >odd one to be trying to connect to.
    >
    >I 'investigated' some of the connecting machines
    >and what I can tell from those that were on static
    >ips is that they are Windows machines (surprise!)
    >running a whole gamete of services including
    >netbios-ns, ldap and irc-serv as well as dns and
    >http etc etc. And stateless firewalls.
    >
    >Basically, has anyone seen this sort of thing
    >before? And if so what form of exploit is it
    >attempting? It's all bouncing off the firewall atm
    >and is pretty low traffic so I'm not overly
    >concerned, just puzzled.
    >
    >Cheers,
    >                JB
    >
    >----------------------------------------------------------------------------
    >This list is provided by the SecurityFocus ARIS analyzer service.
    >For more information on this free incident handling, management
    >and tracking system please see: http://aris.securityfocus.com
    
    
    -- 
    |*      Jim Hoagland, Associate Researcher, Silicon Defense      *|
    |*            --- Silicon Defense: IDS Solutions ---             *|
    |*  hoaglandat_private, http://www.silicondefense.com/  *|
    |*   Voice: (530) 756-7317                 Fax: (530) 756-7297   *|
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Jan 25 2002 - 10:46:00 PST