Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Intrusion Detection Systems: RE: connection request to port 25

RE: connection request to port 25

From: Harris, Tim <tharris_at_ocair.com>
Date: Mon, 19 Jun 2000 10:19:49 -0700

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo_at_uow.edu.au
Can you get any useful information by attempting your own connection to that
port? For example a telnet to it?

-----Original Message-----
From: Joe Dauncey [mailto:toothbrushhead_at_yahoo.com]
Sent: Sunday, June 18, 2000 10:02 AM
To: SHAIFUL HASHIM
Cc: ids_at_uow.edu.au
Subject: Re: IDS: connection request to port 25

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo_at_uow.edu.au
-
This sounds like an attempted SYN attack. Though I would have thought that
for it
to be successful the impact should be much more noticeable.

Joe

SHAIFUL HASHIM wrote:

> Archive: http://msgs.securepoint.com/ids
> FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owner_at_uow.edu.au
> NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomo_at_uow.edu.au
>
-
> Hi all,
>
> I believed one of the workstations in my university has been compromised.
I've
> monitored any connection from outside to the machine using snort. What
I've
> got are overwhelming connection request to port 25 with SYN bit set from
> multiple of hosts. Currently the mail has not been used much but the log
have
> shown that the mail port is very active. Can you tell me what sort of
attack
> this might be and what is possibly going on?
>
> Thanks
> Shaiful
> UKM
>
> ____________________________________________________________________
> Get free email and a permanent address at http://www.netaddress.com/?N=1

__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com
Received on Jun 19 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]