Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 17 May 1999 14:01:54 -0700
From:      Cy Schubert <cschuber@uumail.gov.bc.ca>
To:        freebsd-security@freebsd.org
Subject:   Interesting Attack
Message-ID:  <199905172101.OAA29759@passer.osg.gov.bc.ca>
next in thread | raw e-mail | index | archive | help 
I'm seeing a number of packets from sites around the Internet to 
port 1096.  What service lives on port 1096?  Has anyone seen this 
before?

I did change my firewall rules in response to the ACK+RST probes 
discussed on BUGTRAQ and here to catch this kind of activity.

May 12 22:40:58 friendly.system /kernel: ipfw: 65534 Deny TCP 
24.93.100.204:0 1.2.3.4:1096 in via xl0
May 13 02:26:03 friendly.system /kernel: ipfw: 65534 Deny TCP 
207.76.224.149:113 1.2.3.4:1096 in via xl0
May 13 19:56:51 friendly.system /kernel: ipfw: 65534 Deny TCP 
207.154.210.5:6667 1.2.3.4:1096 in via xl0
May 13 19:56:51 friendly.system /kernel: ipfw: 65534 Deny TCP 
207.154.210.5:6667 1.2.3.4:1096 in via xl0
May 14 20:15:13 friendly.system /kernel: ipfw: 65534 Deny TCP 
129.11.116.121:2 1.2.3.4:1096 in via xl0
May 15 00:20:08 friendly.system /kernel: ipfw: 65534 Deny TCP 
207.240.152.35:0 1.2.3.4:1096 in via xl0
May 15 00:20:33 friendly.system /kernel: ipfw: 65534 Deny TCP 
207.240.152.35:0 1.2.3.4:1096 in via xl0
May 15 00:56:01 friendly.system /kernel: ipfw: 65534 Deny TCP 
24.94.50.65:139 1.2.3.4:1096 in via xl0
May 15 00:56:03 friendly.system /kernel: ipfw: 65534 Deny TCP 
24.94.50.65:139 1.2.3.4:1096 in via xl0
May 15 02:33:56 friendly.system /kernel: ipfw: 65534 Deny TCP 
159.138.5.1:46643 1.2.3.4:1096 in via xl0
May 15 12:25:51 friendly.system /kernel: ipfw: 65534 Deny TCP 
200.33.78.3:23 1.2.3.4:1096 in via xl0
May 15 12:54:38 friendly.system /kernel: ipfw: 65534 Deny TCP 
200.33.78.3:23 1.2.3.4:1096 in via xl0
May 15 16:06:06 friendly.system /kernel: ipfw: 65534 Deny TCP 
167.205.22.114:23 1.2.3.4:1096 in via xl0
May 15 16:06:06 friendly.system /kernel: ipfw: 65534 Deny TCP 
167.205.22.114:23 1.2.3.4:1096 in via xl0
May 15 21:24:49 friendly.system /kernel: ipfw: 65534 Deny TCP 
192.148.248.24:2 1.2.3.4:1096 in via xl0
May 15 21:33:22 friendly.system /kernel: ipfw: 65534 Deny TCP 
192.148.248.24:23 1.2.3.4:1096 in via xl0
May 15 21:33:23 friendly.system /kernel: ipfw: 65534 Deny TCP 
192.148.248.24:23 1.2.3.4:1096 in via xl0
May 15 22:47:50 friendly.system /kernel: ipfw: 65534 Deny TCP 
207.229.143.42:22 1.2.3.4:1096 in via xl0
May 15 22:47:50 friendly.system /kernel: ipfw: 65534 Deny TCP 
207.229.143.42:22 1.2.3.4:1096 in via xl0
May 16 00:18:08 friendly.system /kernel: ipfw: 65534 Deny TCP 
209.54.43.135:23 1.2.3.4:1096 in via xl0
May 16 00:18:08 friendly.system /kernel: ipfw: 65534 Deny TCP 
209.54.43.135:23 1.2.3.4:1096 in via xl0
May 16 00:34:48 friendly.system /kernel: ipfw: 65534 Deny TCP 
208.201.224.36:113 1.2.3.4:1096 in via xl0
May 16 00:34:49 friendly.system /kernel: ipfw: 65534 Deny TCP 
208.201.224.36:113 1.2.3.4:1096 in via xl0
May 16 11:39:32 friendly.system /kernel: ipfw: 65534 Deny TCP 
203.37.45.2:6667 1.2.3.4:1096 in via xl0
May 16 13:04:42 friendly.system /kernel: ipfw: 65534 Deny TCP 
203.37.45.2:6667 1.2.3.4:1096 in via xl0
May 16 14:46:57 friendly.system /kernel: ipfw: 65534 Deny TCP 
209.224.60.180:23 1.2.3.4:1096 in via xl0
May 16 14:47:36 friendly.system /kernel: ipfw: 65534 Deny TCP 
209.224.60.180:23 1.2.3.4:1096 in via xl0
May 16 17:51:34 friendly.system /kernel: ipfw: 65534 Deny TCP 
207.96.57.242:113 1.2.3.4:1096 in via xl0
May 16 18:26:58 friendly.system /kernel: ipfw: 65534 Deny TCP 
24.1.187.156:0 1.2.3.4:1096 in via xl0
May 16 18:27:49 friendly.system /kernel: ipfw: 65534 Deny TCP 
24.1.187.156:0 1.2.3.4:1096 in via xl0
May 16 23:41:46 friendly.system /kernel: ipfw: 65534 Deny TCP 
208.133.73.83:6667 1.2.3.4:1096 in via xl0
May 16 23:41:46 friendly.system /kernel: ipfw: 65534 Deny TCP 
208.133.73.83:6667 1.2.3.4:1096 in via xl0
May 17 13:05:19 friendly.system /kernel: ipfw: 65534 Deny TCP 
24.64.167.106:139 1.2.3.4:1096 in via xl0


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
Open Systems Group          Internet:  Cy.Schubert@uumail.gov.bc.ca
ITSD                                   Cy.Schubert@gems8.gov.bc.ca
Province of BC            
                      "e**(i*pi)+1=0"







To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199905172101.OAA29759>