From owner-freebsd-security  Wed Nov  4 02:07:25 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id CAA28148
          for freebsd-security-outgoing; Wed, 4 Nov 1998 02:07:25 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from buddy.sovlink.ru (buddy.sovlink.ru [194.186.12.9])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id CAA28121
          for <security@FreeBSD.ORG>; Wed, 4 Nov 1998 02:07:12 -0800 (PST)
          (envelope-from alla@sovlink.ru)
Received: from sovlink.ru (punk.sovlink.ru [194.186.12.133])
	by buddy.sovlink.ru (8.9.1/8.9.1) with ESMTP id NAA02092
	for <security@FreeBSD.ORG>; Wed, 4 Nov 1998 13:10:57 +0300 (MSK)
Message-ID: <3640275A.C3D01E5C@sovlink.ru>
Date: Wed, 04 Nov 1998 13:07:22 +0300
From: Alla Bezroutchko <alla@sovlink.ru>
X-Mailer: Mozilla 4.5 [en] (WinNT; I)
X-Accept-Language: ru,en
MIME-Version: 1.0
To: security@FreeBSD.ORG
Subject: Re: Is it an attack? Strange things logged by ipfw - more on that
References: <Pine.BSF.3.96.981104143706.11812D-100000@gizmo.kyrnet.kg>
Content-Type: text/plain; charset=koi8-r
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

CyberPsychotic wrote:
> ~ Nov  3 00:44:53 buddy /kernel: ipfw: 65534 Deny TCP a.b.c.d:50818
> ~ aaa.aaa.aaa.aaa:1333 in via ex0
> ~ Nov  3 01:12:51 buddy /kernel: ipfw: 65534 Deny TCP e.f.g.h:50818
> ~ aaa.aaa.aaa.aaa:1565 in via ex0
> ~ Nov  2 11:15:37 buddy /kernel: ipfw: 65534 Deny TCP i.j.k.l:50818
> ~ aaa.aaa.aaa.aaa:1725 in via ex0
> ~ Oct 20 04:20:03 buddy /kernel: ipfw: 65534 Deny TCP m.n.o.p:50818

Some recent investigations showed even more interesting things. There
were connection attempts to three different IPs. One as mentioned,
doesn't belong to anything, other is a '95 box and the third one is an
HP printer. Every destination address corresponds to a source port.
Source IPs are different but some used twice or thrice. Source ports 
used: 50818, 20330, 26157.

This is logged since October 5th (maybe it started earlier, I kept
logs only for a month) till yesterday, sometimes one probe in two or 
three days, sometimes four probes a day.
  
> Nothing will help brain-damaged windoze machines. :)

Checked. Some of source IPs belong to 'doze machines, some don't. 
Brain damaged unix? ;)

Ideas?

Alla.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message