Security Incidents mailing list archives

Re: Portscan detected from your machine

From: kokyung () SINGNET COM SG (Koh Kok Yung)
Date: Sun, 18 Jun 2000 10:40:28 +0800

Dear Jens,

Thank you for the notice.  I have received a few of these telling me that I
have been sending spam and that I am trying to heck into there system.  I
have already informed signet and intend to make and official report to the
relevant authorities.

I would appreciated any information you can give me.  I also plan to buy and
install a fire wall

Thanks

Kok Yung

-----Original Message-----
From: jens () dialup rwth-aachen de [mailto:jens () dialup rwth-aachen de]On
Behalf Of Jens Hektor
Sent: Sunday, June 18, 2000 4:59 AM
To: kokyung () singnet com sg; abuse () singnet com sg;
security () singnet com sg
Cc: incidents () securityfocus com; info- () apnic net; apnic-dbm () apnic net
Subject: was: Portscan detected from your machine

Hello,

the following message was erroneously sent to you, because
of wrong information at the APNIC center:

A whois query at APNIC for 212.63.44.1 gives:

        inetnum:     210.24.27.0 - 255.255.255.224
        etc ...

This is obviously incorrect, so APNIC has to correct it's databases.

The correct ISP in Germany was found and has been contacted.

Regards, Jens Hektor

---------------------------

Hello,

our intrusion detection facilities have detected a portscan from one
of your machines. Portscans like this one usually preceede concrete
attacks towards our machine, therefor we consider this portscan as an
"unfriendly act" against our computers.

We think that someone is misusing your system (usually the machine
we notice portscans from are cracked).

Check your system and ensure that this does not happen again.

Here follow the logs:
----------------------------------------

/var/log/advanced/local7.info:Jun 17 19:36:09 cisco-rz 40179: Jun 17
19:36:08.444 MEZS: %SEC-6-IPACCESSLOGP: list 110 denied udp
212.63.44.1(911) ->
134.130.27.9(111), 1 packet
/var/log/advanced/local7.info:Jun 17 19:36:19 cisco-rz 40185: Jun 17
19:36:18.064 MEZS: %SEC-6-IPACCESSLOGP: list 110 denied udp
212.63.44.1(1013) ->
137.226.112.21(111), 1 packet
/var/log/advanced/local7.info:Jun 17 19:36:39 cisco-rz 40186: Jun 17
19:36:38.068 MEZS: %SEC-6-IPACCESSLOGP: list 110 denied udp
212.63.44.1(904) ->
153.96.180.2(111), 1 packet
/var/log/advanced/local7.info:Jun 17 19:36:44 cisco-rz 40187: Jun 17
19:36:43.156 MEZS: %SEC-6-IPACCESSLOGP: list 110 denied udp
212.63.44.1(905) ->
153.96.180.2(111), 1 packet
/var/log/advanced/local7.info:Jun 17 19:36:49 cisco-rz 40188: Jun 17
19:36:48.676 MEZS: %SEC-6-IPACCESSLOGP: list 110 denied udp
212.63.44.1(1016) ->
137.226.144.3(111), 1 packet
/var/log/advanced/local7.info:Jun 17 19:37:18 cisco-rz 40194: Jun 17
19:37:17.079 MEZS: %SEC-6-IPACCESSLOGP: list 110 denied udp
212.63.44.1(771) ->
193.174.14.3(111), 1 packet
/var/log/advanced/local7.info:Jun 17 19:39:51 cisco-rz 40195: Jun 17
19:39:50.909 MEZS: %SEC-6-IPACCESSLOGP: list 110 denied udp
212.63.44.1(663) ->
194.94.252.3(111), 1 packet
/var/log/advanced/local7.info:Jun 17 19:39:57 cisco-rz 40196: Jun 17
19:39:56.012 MEZS: %SEC-6-IPACCESSLOGP: list 110 denied udp
212.63.44.1(666) ->
194.94.252.3(111), 1 packet
/var/log/advanced/local7.info:Jun 17 19:40:02 cisco-rz 40197: Jun 17
19:40:01.072 MEZS: %SEC-6-IPACCESSLOGP: list 110 denied udp
212.63.44.1(667) ->
194.94.253.3(111), 1 packet
/var/log/advanced/local7.info:Jun 17 19:41:53 cisco-rz 40198: Jun 17
19:41:52.386 MEZS: %SEC-6-IPACCESSLOGP: list 110 denied udp
212.63.44.1(904) ->
153.96.180.2(111), 1 packet
/var/log/advanced/local7.info:Jun 17 19:42:17 cisco-rz 40209: Jun 17
19:42:16.358 MEZS: %SEC-6-IPACCESSLOGP: list 110 denied udp
212.63.44.1(941) ->
195.37.137.10(111), 1 packet
/var/log/advanced/local7.info:Jun 17 19:42:27 cisco-rz 40210: Jun 17
19:42:26.470 MEZS: %SEC-6-IPACCESSLOGP: list 110 denied udp
212.63.44.1(942) ->
195.37.137.10(111), 1 packet
/var/log/advanced/local7.info:Jun 17 19:42:53 cisco-rz 40211: Jun 17
19:42:52.401 MEZS: %SEC-6-IPACCESSLOGP: list 110 denied udp
212.63.44.1(790) ->
193.174.14.3(111), 2 packets
/var/log/advanced/local7.info:Jun 17 19:44:53 cisco-rz 40217: Jun 17
19:44:52.431 MEZS: %SEC-6-IPACCESSLOGP: list 110 denied udp
212.63.44.1(663) ->
194.94.252.3(111), 1 packet
/var/log/advanced/local7.info:Jun 17 19:45:53 cisco-rz 40218: Jun 17
19:45:52.445 MEZS: %SEC-6-IPACCESSLOGP: list 110 denied udp
212.63.44.1(667) ->
194.94.253.3(111), 3 packets
/var/log/advanced/local7.info:Jun 17 19:47:53 cisco-rz 40219: Jun 17
19:47:52.475 MEZS: %SEC-6-IPACCESSLOGP: list 110 denied udp
212.63.44.1(941) ->
195.37.137.10(111), 2 packets

----------------------------------------

Local time is MET (GMT+1) or MEST (GMT+2)
during daylight savings period.

Regards, Jens Hektor

--
Jens Hektor, RWTH Aachen, Rechenzentrum, Seffenter Weg 23, 52074 Aachen
Computing Center Technical University Aachen, firewalls/network security
mailto:hektor () RZ RWTH-Aachen DE, Tel.: +49 241 80 4866
Private: Rochusstr. 26, D52062 Aachen, Fon: +49 241 29888, Fax: % 29889
Current thread:

POP3 (110) Port Scans, New Exploit? Crist J. Clark (May 29)
- linuxconf scans from KR Infrastructure Dept. (Jun 01)
- Re: POP3 (110) Port Scans, New Exploit? Chip Mefford (Jun 01)