Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

Recon from Pakistan
From: JNelson () CMCCONTROLS COM (CL: Nelson, Jeff)
Date: Tue, 29 Feb 2000 15:14:51 -0500

Good afternoon all,

I was going through yesterday's logs and found we had been scanned via
sunrpc from some individual in Pakistan. Here is a sample of the log:

Feb 28 15:58:51 [1.1.1.1] 4400915: %SEC-6-IPACCESSLOGP: list 110 permitted
tcp 63.70.25.75(2666) -> 1.1.1.9(111), 1 packet
Feb 28 16:02:40 [1.1.1.1] 4401657: %SEC-6-IPACCESSLOGP: list 110 permitted
tcp 63.70.25.75(2666) -> 1.1.1.19(111), 1 packet
Feb 28 16:04:34 [5.5.5.243] %PIX-2-106001: Inbound TCP connection denied
from 63.70.25.75/2666 to 5.5.5.151/111 flags SYN
Feb 28 16:04:35 [1.1.1.1] 4401766: %SEC-6-IPACCESSLOGP: list 110 permitted
tcp 63.70.25.75(2666) -> 1.1.1.24(111), 1 packet
Feb 28 16:04:35 [1.1.1.1] 4401768: %SEC-6-IPACCESSLOGP: list 110 permitted
tcp 1.1.1.24(111) -> 63.70.25.75(2666), 1 packet
Feb 28 16:06:06 [5.5.5.243] %PIX-2-106001: Inbound TCP connection denied
from 63.70.25.75/2666 to 5.5.5.75/111 flags SYN
Feb 28 16:06:07 [1.1.1.1] 4401850: %SEC-6-IPACCESSLOGP: list 110 permitted
tcp 63.70.25.75(2666) -> 1.1.1.28(111), 1 packet
Feb 28 16:06:07 [1.1.1.1] 4401852: %SEC-6-IPACCESSLOGP: list 110 permitted
tcp 1.1.1.28(111) -> 63.70.25.75(2666), 1 packet
Feb 28 16:11:25 [5.5.5.243] %PIX-7-106011: Deny self route tcp src
outside:63.70.25.75/2666 dst outside:1.1.1.42/111
Feb 28 16:11:26 [1.1.1.1] 4402156: %SEC-6-IPACCESSLOGP: list 110 permitted
tcp 63.70.25.75(2666) -> 1.1.1.42(111), 1 packet
Feb 28 16:11:48 [5.5.5.243] %PIX-7-106011: Deny self route tcp src
outside:63.70.25.75/2666 dst outside:1.1.1.43/111
Feb 28 16:11:49 [1.1.1.1] 4402188: %SEC-6-IPACCESSLOGP: list 110 permitted
tcp 63.70.25.75(2666) -> 1.1.1.43(111), 1 packet
Feb 28 16:38:00 [5.5.5.243] %PIX-2-106001: Inbound TCP connection denied
from 63.70.25.75/2666 to 5.5.5.219/111 flags SYN

The 1.1.1 addresses are our external, the 5.5.5 are our internal. My
question is this. What is he doing to discover my internal ip addresses? We
are doing NAT, so the external responses are from open/active tcp sessions,
or so I am assuming. What app is he using to do this?

Cheers,

Jeff


<<<<<<<<<<<<<<<<<<<<<<<<<<

Jeffrey L. Nelson        | Cleveland Motion Controls
Network Manager          | 7550 Hub Parkway
                         | Cleveland, Ohio 44125
jnelson () cmccontrols com  | 216-642-5147

<<<<<<<<<<<<<<<<<<<<<<<<<<

  By Date           By Thread  

Current thread:
  • Recon from Pakistan CL: Nelson, Jeff (Feb 29)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]