Security Incidents: Re: Port 119 Scans

[Andreas Hasenack <andreas () netbank com br>]

Em Fri, Jul 27, 2001 at 10:58:53PM +0200, Tom Laermans escreveu:
> I'm seeing a lot of port 199 scans lately (very many the last week) .. Is 
> there some sort of news server exploit out? Or am I the only one seeing this?
I saw a burst one specific day, then no more. Let me see...
Yes, it was July 21st:

(btw, DST is dynamic)

(...)
Jul 21 17:42:53 matro kernel: drop IN=ppp0 OUT= MAC= SRC=200.245.53.235 DST=200.181.137.51 LEN=48 TOS=0x00 PREC=0x00 
TTL=120 ID=18176 DF PROTO=TCP SPT=1039 DPT=119 WINDOW=8192 
RES=0x00 SYN URGP=0 
Jul 21 17:42:56 matro kernel: drop IN=ppp0 OUT= MAC= SRC=200.245.53.235 DST=200.181.137.51 LEN=48 TOS=0x00 PREC=0x00 
TTL=120 ID=28160 DF PROTO=TCP SPT=1039 DPT=119 WINDOW=8192 
RES=0x00 SYN URGP=0 
Jul 21 17:43:02 matro kernel: drop IN=ppp0 OUT= MAC= SRC=200.245.53.235 DST=200.181.137.51 LEN=48 TOS=0x00 PREC=0x00 
TTL=120 ID=55296 DF PROTO=TCP SPT=1039 DPT=119 WINDOW=8192 
RES=0x00 SYN URGP=0 
(...)
and so on.
Another source IP was 200.245.53.55, also on July 21st, same pattern.

This probe was quite insistent, going on up to 9:00pm, even though I never sent a packet
back.

> I'm on ADSL with dynamic IP so I don't think they'd be targetting me 
> personally.. I don't run a newsserver...
Same here. I then ran netcat on port 119 just to see what was going on, and
caught "group comp.alt.virus" or something like that, can't remember
right now, but certainly a "virus" newsgroup. I browser that group for a 
few minutes looking for something suspicious (like some sort of 
automated posting), but found nothing peculiar (but I certainly didn't 
see all messages there).


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com