Hi Gregory, Hi Ice, i foun dthe same in my logfiles after downloading some files from an official SuSE mirror and asked the admin about that. It seems, that our lovely scanlogd does not recognize ordinary ftp-ttransmissions... Gregory, did you download some files from that server , the Talkline Internet FTP Server? Ingo Reimann ice9 wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Well, to me it looks like this guy was scanning for your RPC services (hence the high port numbers). Most likely, he's looking for a specific RPC service that he has aquired an exploit for, so this is porobably a mass scan.
He also sourced the scan to port 20 (FTP-DATA) to give him a better chance of being let through a firewall.
The question is, were you running the RPC service this guy was looking for?
You also might want to let tli.de know that somone is port scanning from their mail server. (Most likely hacked as well)
Scott G. Danahy
- ----- Original Message ----- From: Gregory Conron <gconron@hfx.andara.com> To: <suse-security@suse.com> Sent: Saturday, September 11, 1999 9:04 PM Subject: [suse-security] nmap
Hi all, Seems I am getting scanned from 195.252.142.6. What can anyone tell me about the type of scan (aside from the fact s/he is using nmap) and the flags set? Something to worry about, or just someone scanning a block of IPs looking for an a possible exploit? The log from /var/log/warn is attached below, and the address is mail.tli.de
Thanks, Gregory Conron
--- /var/log/warn Sep 11 22:14:59 Lucia scanlogd: From 195.252.142.6:20 to 24.222.24.206 ports 2558, 2559, 2560, 2561, 2562, 2563, 2564, 2565, 2566, ..., flags ??r??u, TOS 08, TTL 236, started at 22:14:51 Sep 11 22:18:01 Lucia scanlogd: From 195.252.142.6:20 to 24.222.24.206 ports 4102, 4115, 4128, 4153, 4166, 4179, 4204, 4218, 4231, ..., flags ??r??u, TOS 08, TTL 236, started at 22:17:54 Sep 11 22:18:36 Lucia scanlogd: From 195.252.142.6:20 to 24.222.24.206 ports 4936, 4961, 4974, 4999, 1038, 1052, 1073, 1100, 1120, ..., flags ??r??u, TOS 08, TTL 236, started at 22:18:29
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 6.5.1 for non-commercial use <http://www.pgp.com>
iQA/AwUBN9wCZiXYR5yQ1RJFEQIeKQCfSOgxj8tWtbcmMS7p3Sde6p+ElMEAn3jS TbuS+AykPjESsJ8tr892gkmR =ev0u -----END PGP SIGNATURE-----
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
-- ---------------------------------------------------------------- I. Reimann reimann@uni-muenster.de Inst. fuer Angew. Physik +49 251 83-33541 (fon) Correnstr. 2-4 +49 251 83-33513 (fax) D-48149 Muenster Germany ----------------------------------------------------------------