|
Security Incidents
mailing list archives
Re: "Authentication" attempts??
From: Peter Moody <peter.moody () lutris com>
Date: Sun, 25 Mar 2001 22:21:55 -0800
While I don't have an exchange server running, I've seen a lot
of connection attempts to the auth or ident daemon (port 113) to various
machines inside my dmz (all of which get blocked by the pix fw).
I have come to the conclusion that a lot of mail servers employ
this very basic form of authentication.
-Peter
Los, Ralph wrote:
Perhaps someone could help me understand this...
I've been getting this from dozens of machines all accross the
Internet, aimed at one of my Exchange Server's private (NAT) address, coming
to port 113. As far as I know, port 113 is only used for IRC (Internet
Relay Chat) authentication...no?
<snip>
03/23/2001 16:49:08.480 - TCP connection dropped -
Source:<src-ip>, <src-prt>, Destination:192.168.34.2, 113
</snip>
The source IP's are completely random it seems, source ports are as well
(3105, 41259, 1931, 4675, 51134...and the list goes on). Does anyone know
what this would be? ...and perhaps WHY the target is my NAT address not the
public IP? Is this somehow tied to the mail server (Exchange 5.5) that is
the target?
Any insight is greatly appreciated,
Ralph M. Los
Sr. Internet Systems & Security Admin. (312) 827-3945 (direct)
EnvestNet Advisory Corp. (312) 296-9003 (wireless)
rlos () envestnet com
--
Peter Moody Systems Administrator
Lutris Technologies peter.moody () lutris com
:wq
 By Date 
By Thread
Current thread:
|
Intro
