From owner-freebsd-security Tue Nov 3 22:19:36 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id WAA27256 for freebsd-security-outgoing; Tue, 3 Nov 1998 22:19:36 -0800 (PST) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id WAA27248 for ; Tue, 3 Nov 1998 22:19:33 -0800 (PST) (envelope-from archie@whistle.com) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id WAA22247; Tue, 3 Nov 1998 22:19:25 -0800 (PST) Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3) id sma022245; Tue Nov 3 22:18:55 1998 Received: (from archie@localhost) by bubba.whistle.com (8.8.7/8.6.12) id WAA20681; Tue, 3 Nov 1998 22:18:55 -0800 (PST) From: Archie Cobbs Message-Id: <199811040618.WAA20681@bubba.whistle.com> Subject: Re: Is it an attack? Strange things logged by ipfw. In-Reply-To: <363EBD86.74C9F6E2@sovlink.ru> from Alla Bezroutchko at "Nov 3, 98 11:23:34 am" To: alla@sovlink.ru (Alla Bezroutchko) Date: Tue, 3 Nov 1998 22:18:55 -0800 (PST) Cc: security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Alla Bezroutchko writes: > I have an ipfw-based firewall and noticed a peculiar connections in its > logs. Maybe this is some new kind of attack? Any comments appreciated. > Here are the logs: > > Nov 3 00:44:53 buddy /kernel: ipfw: 65534 Deny TCP a.b.c.d:50818 > aaa.aaa.aaa.aaa:1333 in via ex0 > Nov 3 01:12:51 buddy /kernel: ipfw: 65534 Deny TCP e.f.g.h:50818 > aaa.aaa.aaa.aaa:1565 in via ex0 > Nov 2 11:15:37 buddy /kernel: ipfw: 65534 Deny TCP i.j.k.l:50818 > aaa.aaa.aaa.aaa:1725 in via ex0 > Oct 20 04:20:03 buddy /kernel: ipfw: 65534 Deny TCP m.n.o.p:50818 > aaa.aaa.aaa.aaa:2349 in via ex0 > Oct 20 09:22:35 buddy /kernel: ipfw: 65534 Deny TCP q.r.s.t:50818 > aaa.aaa.aaa.aaa:1493 in via ex0 > Oct 19 04:35:01 buddy /kernel: ipfw: 65534 Deny TCP u.v.w.x:50818 > aaa.aaa.aaa.aaa:2465 in via ex0 One lesson I've learned over the years: never rule out broken Windows machines :-) -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message