Hi all
On three separate reports (on the same day) from the admins of host
"magpie" we got
> Jun 3 14:06:41 magpie telnetd[22385]: refused connect from
pc253-177.ourdomain.com
"magpie" again
> Jun 3 13:41:43 magpie telnetd[21960]: refused connect from
pc253-19.ourdomain.com
> Jun 3 13:42:04 magpie telnetd[22001]: refused connect from
pc253-19.ourdomain.com
> Jun 3 13:44:37 magpie telnetd[22136]: refused connect from
pc253-19.ourdomain.com
> Jun 3 18:05:42 magpie telnetd[25566]: refused connect from
pc253-19.ourdomain.com
"krefti" and "magpie"
> Jun 3 13:41:08 krefti telnetd[7672]: refused connect from tin.ourdomain.com
> Jun 3 13:33:44 magpie telnetd[21859]: refused connect from
tin.ourdomain.com
> Jun 3 13:35:17 magpie telnetd[21874]: refused connect from
tin.ourdomain.com
So we have remote telnet connections from three of our hosts. I have not
overruled
the posssibility that the three ourdomain hosts have been comprimised, but
unlikely.
It looks like a probe (perhaps using nmap with the -sS option
to spoof the source address) - port 23 gets noticed sinced it's obviously
wrappered. Unless it is some sort of host "bouncing/reflecting" from the
real attacker
to hosts "ourdomain" back to hosts to magpie and kefti.
Can anyone explain this apparent activity or know the signature for this
attack?
Thanks
Joe
Received on Jun 05 2000
Intro
