From owner-freebsd-security  Sun Jul 12 20:50:36 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id UAA02626
          for freebsd-security-outgoing; Sun, 12 Jul 1998 20:50:36 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from inet.chipweb.ml.org (qmailr@c1003518-a.plstn1.sfba.home.com [24.1.82.47])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id UAA02618
          for <freebsd-security@freebsd.org>; Sun, 12 Jul 1998 20:50:32 -0700 (PDT)
          (envelope-from ludwigp@bigfoot.com)
Received: (qmail 18003 invoked from network); 13 Jul 1998 03:50:35 -0000
Received: from speedy.chipweb.ml.org (172.16.1.1)
  by inet.chipweb.ml.org with SMTP; 13 Jul 1998 03:50:35 -0000
Message-Id: <3.0.3.32.19980712205026.0077b070@mail.plstn1.sfba.home.com>
X-Sender: ludwigp@mail.plstn1.sfba.home.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.3 (32)
Date: Sun, 12 Jul 1998 20:50:26 -0700
To: "Hallam Oaks P/L list account" <maillist@oaks.com.au>,
        "sthaug@nethelp.no" <sthaug@nethelp.no>
From: Ludwig Pummer <ludwigp@bigfoot.com>
Subject: Re: DNS zone xfers from random(?) sites
Cc: "freebsd-security@FreeBSD.ORG" <freebsd-security@FreeBSD.ORG>
In-Reply-To: <199807130205.MAA22491@mail.aussie.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 12:05 PM 7/13/98 +1000, Hallam Oaks P/L list account wrote:
>ipfw: 4110 Deny TCP 137.166.79.129:1878 139.130.xx.xxx:143 in via tun0
>ipfw: 4110 Deny TCP 137.166.79.129:1878 139.130.xx.xxx:143 in via tun0
>ipfw: 4110 Deny TCP 137.166.79.129:1904 139.130.xx.xxx:110 in via tun0
>ipfw: 4110 Deny TCP 137.166.79.129:1904 139.130.xx.xxx:110 in via tun0
>
>Exactly two of each. The total time between the first and last was no more 
>than 40 seconds. Possibly generated by a program of some sort. No person 
>outside our site has the authority to access our POP3, IMAP, or TELNET 
>services.
>
>Does this pattern of port accesses seem familiar to anyone ?
Yup. I've got them in my log going back to early April. I'm only logging
and denying POP3 and IMAP, though. And my port checks are separated by 3
seconds.

--Ludwig Pummer
ludwigp@bigfoot.com
ICQ UIN: 692441   http://chipweb.home.ml.org

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message