From owner-freebsd-security  Wed Jun 13 11:20:38 2001
Delivered-To: freebsd-security@freebsd.org
Received: from anchor-post-32.mail.demon.net (anchor-post-32.mail.demon.net [194.217.242.90])
	by hub.freebsd.org (Postfix) with ESMTP id CB27237B403
	for <freebsd-security@freebsd.org>; Wed, 13 Jun 2001 11:20:34 -0700 (PDT)
	(envelope-from dmg@procopia.com)
Received: from shootthemlater.demon.co.uk ([194.222.93.84] helo=cerebus.parse.net)
	by anchor-post-32.mail.demon.net with esmtp (Exim 2.12 #1)
	id 15AFGb-000AGm-0W
	for freebsd-security@freebsd.org; Wed, 13 Jun 2001 19:21:21 +0100
Received: from wbra0013.cognos.com ([10.0.0.3] helo=procopia.com)
	by cerebus.parse.net with esmtp (Exim 3.16 #1)
	id 15AEwi-0007sV-00
	for freebsd-security@freebsd.org; Wed, 13 Jun 2001 19:00:48 +0100
Message-ID: <3B27AACB.D8BC13F@procopia.com>
Date: Wed, 13 Jun 2001 19:02:51 +0100
From: David Goddard <dmg@procopia.com>
X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U)
X-Accept-Language: en
MIME-Version: 1.0
To: freebsd-security@freebsd.org
Subject: Odd source IP for a scan
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

Hi,

This isn't as such a FreeBSD thing, but I picked up some odd entries in
a security log recently:

root@cerebus% grep 66.22.30.76 /var/log/security
Jun 11 23:23:28 cerebus /kernel: ipfw: 19300 Deny TCP 66.22.30.76:3303
194.222.X.X:27374 in via tun0
Jun 11 23:23:28 cerebus /kernel: ipfw: 19300 Deny TCP 66.22.30.76:3304
194.222.X.X:12345 in via tun0
Jun 11 23:23:28 cerebus /kernel: ipfw: 19300 Deny TCP 66.22.30.76:3305
194.222.X.X:139 in via tun0
Jun 11 23:23:28 cerebus /kernel: ipfw: 19300 Deny TCP 66.22.30.76:3304
194.222.X.X:12345 in via tun0
Jun 11 23:23:28 cerebus /kernel: ipfw: 19300 Deny TCP 66.22.30.76:3305
194.222.X.X:139 in via tun0
Jun 11 23:23:28 cerebus /kernel: ipfw: 19300 Deny TCP 66.22.30.76:3303
194.222.X.X:27374 in via tun0
Jun 11 23:23:28 cerebus /kernel: ipfw: 19300 Deny TCP 66.22.30.76:3304
194.222.X.X:12345 in via tun0
Jun 11 23:23:28 cerebus /kernel: ipfw: 19300 Deny TCP 66.22.30.76:3305
194.222.X.X:139 in via tun0
Jun 11 23:23:28 cerebus /kernel: ipfw: 19300 Deny TCP 66.22.30.76:3303
194.222.X.X:27374 in via tun0

66.22.30.76 resolves to host.domain.com - my guess is that it's some
hacking tool and the script kiddie has not bothered to change the
spoofing from the default.  However, if they're just probing then they
are surely not going to get much info back that way..

Has anyone seen anything similar?

Cheers,

Dave

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message