Hi dudes, I don't know if this is the right mailing list. I am receiving a lot of smtp, pop3, and http connection atttempts from our checkpoint firewall-1 external IP to my other public server. Below is the tcpdump. Is it an attack? I used port 25 only as BPF btw. But there are many connection attemtps also originating from checkpoint to my other public servers. 01:24:49.777645 cpfw.20771 > antispam.remingtonltd.com.smtp: S 1715098950:1715098950(0) win 5840 <mss 1460,nop,nop,sackOK> (DF) 0000: 4500 0030 9fc1 4000 7f06 ee00 41c0 7541 E..0.Á@...î.AÀuA 0010: 41c0 7544 5123 0019 663a 5546 0000 0000 AÀuDQ#..f:UF.... 0020: 7002 16d0 f18c 0000 0204 05b4 0101 0402 p..Ðñ......´.... 01:24:49.777760 antispam.remingtonltd.com.smtp > cpfw.20771: S 2880971570:2880971570(0) ack 1715098951 win 17520 <mss 1460,nop,nop,sackOK> (DF) 0000: 4500 0030 59f4 4000 4006 72ce 41c0 7544 E..0Yô@.@.rÎAÀuD 0010: 41c0 7541 0019 5123 abb8 2332 663a 5547 AÀuA..Q#«¸#2f:UG 0020: 7012 4470 f4f0 0000 0204 05b4 0101 0402 p.Dpôð.....´.... 01:24:49.778486 cpfw.20771 > antispam.remingtonltd.com.smtp: . ack 1 win 5840 (DF) 0000: 4500 0028 9fc2 4000 7f06 ee07 41c0 7541 E..(.Â@...î.AÀuA 0010: 41c0 7544 5123 0019 663a 5547 abb8 2333 AÀuDQ#..f:UG«¸#3 0020: 5010 16d0 4f55 0000 0000 0000 0000 P..ÐOU........ 01:24:49.781016 antispam.remingtonltd.com.smtp > cpfw.20771: P 1:107(106) ack 1 win 17520 (DF) 0000: 4500 0092 21f2 4000 4006 aa6e 41c0 7544 E...!ò@.@.ªnAÀuD 0010: 41c0 7541 0019 5123 abb8 2333 663a 5547 AÀuA..Q#«¸#3f:UG 0020: 5018 4470 960f 0000 3232 3020 616e 7469 P.Dp....220 anti 0030: 7370 616d 2e72 656d 696e 6774 6f6e 6c74 spam.remingtonlt 0040: 642e 636f 6d20 4553 4d54 5020 5365 7276 d.com ESMTP Serv 0050: 6572 er 01:24:49.781930 cpfw.20771 > antispam.remingtonltd.com.smtp: P 1:7(6) ack 107 win 5734 (DF) 0000: 4500 002e 9fc3 4000 7f06 ee00 41c0 7541 E....Ã@...î.AÀuA 0010: 41c0 7544 5123 0019 663a 5547 abb8 239d AÀuDQ#..f:UG«¸#. 0020: 5018 1666 a793 0000 5155 4954 0d0a P..f§...QUIT.. 01:24:49.781990 antispam.remingtonltd.com.smtp > cpfw.20771: . ack 7 win 17514 (DF) 0000: 4500 0028 5ad7 4000 4006 71f3 41c0 7544 E..(Z×@.@.qóAÀuD 0010: 41c0 7541 0019 5123 abb8 239d 663a 554d AÀuA..Q#«¸#.f:UM 0020: 5010 446a 214b 0000 P.Dj!K.. 01:24:49.782264 antispam.remingtonltd.com.smtp > cpfw.20771: P 107:116(9) ack 7 win 17520 (DF) 0000: 4500 0031 799a 4000 4006 5327 41c0 7544 E..1y.@.@.S'AÀuD 0010: 41c0 7541 0019 5123 abb8 239d 663a 554d AÀuA..Q#«¸#.f:UM 0020: 5018 4470 0c5b 0000 3232 3120 4279 650d P.Dp.[..221 Bye. 0030: 0a . 01:24:49.782313 antispam.remingtonltd.com.smtp > cpfw.20771: F 116:116(0) ack 7 win 17520 (DF) 0000: 4500 0028 2ffa 4000 4006 9cd0 41c0 7544 E..(/ú@.@..ÐAÀuD 0010: 41c0 7541 0019 5123 abb8 23a6 663a 554d AÀuA..Q#«¸#¦f:UM 0020: 5011 4470 213b 0000 P.Dp!;.. 01:24:49.783043 cpfw.20771 > antispam.remingtonltd.com.smtp: . ack 117 win 5725 (DF) 0000: 4500 0028 9fc4 4000 7f06 ee05 41c0 7541 E..(.Ä@...î.AÀuA 0010: 41c0 7544 5123 0019 663a 554d abb8 23a7 AÀuDQ#..f:UM«¸#§ 0020: 5010 165d 4f4e 0000 0000 0000 0000 P..]ON........ 01:24:49.878137 cpfw.20771 > antispam.remingtonltd.com.smtp: F 7:7(0) ack 117 win 5725 (DF) 0000: 4500 0028 9ffb 4000 7f06 edce 41c0 7541 E..(.û@...íÎAÀuA 0010: 41c0 7544 5123 0019 663a 554d abb8 23a7 AÀuDQ#..f:UM«¸#§ 0020: 5011 165d 4f4d 0000 0000 0000 0000 P..]OM........ 01:24:49.878197 antispam.remingtonltd.com.smtp > cpfw.20771: . ack 8 win 17520 (DF) 0000: 4500 0028 66c1 4000 4006 6609 41c0 7544 E..(fÁ@.@.f.AÀuD 0010: 41c0 7541 0019 5123 abb8 23a7 663a 554e AÀuA..Q#«¸#§f:UN 0020: 5010 4470 213a 0000 P.Dp!:.. 01:24:49.878794 cpfw.20771 > antispam.remingtonltd.com.smtp: R 1715098958:1715098958(0) win 0 0000: 4500 0028 9ffd 0000 7f06 2dcd 41c0 7541 E..(.ý....-ÍAÀuA 0010: 41c0 7544 5123 0019 663a 554e 663a 554e AÀuDQ#..f:UNf:UN 0020: 5004 0000 798d 0000 0000 0000 0000 P...y......... Please explain. Thanks. neil camara (ronneilcat_private) - cc{na|sa}, mcse - pgp 0x777777B2 network/security engineer - dl := +1(847)2.21.0.224 cn := +1(847)9.80.17.53 echo "I love windows" | sed -e 's/wi/u/g' | cut -f1 -dd | \ awk '/u/ {printf("%s %s %six\n",$1,$2,$3)}' -------------------------------------------------------------------------- ---o0 Statement of Confidentiality 0o--- The contents of this message and its attachments and subsequent additions are strictly confidential and proprietary and intended solely for the addressee(s) hereof. If you are not the named addressee, or this message has been addressed to you in error, you are directed not to read, disclose, reproduce, distribute, disseminate or otherwise use thistransmission. Delivery of this message to any other person other than the intended recipient(s) is not intended in any way to waive privilege or confidentiality. If you have received this transmis- sion in error, please alert the sender by reply e-mail; we also request that you immediately delete this message and its attachments, if any. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jan 28 2002 - 10:07:58 PST