RE: connection request to port 25

[Dennis.Bergstrom () capgemini se (Bergstrom, Dennis)]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
For it to be an attempted SYN-flood attack, the originating host IP-adresses
would be spoofed.

Have you tried to track the IP-adresses down? 
If they are real, the attack - if it indeed is an attack - is not probably
SYN-flood.

Of course the SYN *should* be set in the first one of the three packets that
make up a TCP handshake. 
You say that the logs show that the mailport is used. 
By this do you mean that the hosts that connects to the tcp 25 port do the
*full* TCP-handshake (not just a SYN-scan a' la Nmap)?

Mail spoofing or relaying is what first comes to my mind. Btw, what SMTP
software are you using?

Respect,

Dennis Bergstrom

*****************
DISCLAIMER: This unencrypted message has been intercepted and read by
several intelligence agencies before you had the chance to read it.
*****************

-----Original Message-----
From: Harris, Tim [mailto:tharris () ocair com]
Sent: Monday, June 19, 2000 7:20 PM
To: SHAIFUL HASHIM
Cc: ids () uow edu au
Subject: RE: IDS: connection request to port 25

-
Can you get any useful information by attempting your own connection to that
port?  For example a telnet to it?

-----Original Message-----
From: Joe Dauncey [mailto:toothbrushhead () yahoo com]
Sent: Sunday, June 18, 2000 10:02 AM
To: SHAIFUL HASHIM
Cc: ids () uow edu au
Subject: Re: IDS: connection request to port 25

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-
This sounds like an attempted SYN attack. Though I would have thought that
for it
to be successful the impact should be much more noticeable.

Joe

SHAIFUL HASHIM wrote:

> Archive: http://msgs.securepoint.com/ids
> FAQ: http://www.ticm.com/kb/faq/idsfaq.html
> IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
> HELP: Having problems... email questions to ids-owner () uow edu au
> NOTE: Remove this section from reply msgs otherwise the msg will bounce.
> SPAM: DO NOT send unsolicted mail to this list.
> UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
-
> Hi all,
>
> I believed one of the workstations in my university has been compromised.
I've
> monitored any connection from outside to the machine using snort. What
I've
> got are overwhelming connection request to port 25 with SYN bit set from
> multiple of hosts. Currently the mail has not been used much but the log
have
> shown that the mail port is very active. Can you tell me what sort of
attack
> this might be and what is possibly going on?
>
> Thanks
> Shaiful
> UKM
>
> ____________________________________________________________________
> Get free email and a permanent address at http://www.netaddress.com/?N=1

__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com