intrusion detection

Lowell Hamilton plug-discuss@lists.PLUG.phoenix.az.us
Mon, 24 Dec 2001 09:58:28 -0700


Looks like someone synscanning (flags:S) you for obvous
vulnerabilities.  There are no 3-way handshakes in the log so they were
only checking for open ports and not checking for vulnerable verions of
each piece of software (unless your firewall only detects the SYN's)

Dshield shows this host has a pretty bad reputation:
http://dshield.org/subnet.php?subnet=207.33.111.34&Submit=Submit

I would toss it out as just random scanning unless you start seeing
actual traffic (3-way handshakes) from that host.

Lowell

-- 
: Lowell Hamilton     syz@b r o k e n - b i t . c o m :
: Linux  OpenBSD  IDS/firewall  Security  QMail  Perl :







Eric wrote:
> 
> Hi,
> 
> My heart began to race when I saw this in one of my logs.  If anyone can
> read this log so as to divine whether this attempted hack was or may have
> been successful, I would love to listen.  I know that this is not the ideal
> place to post this.  Sorry if it offends.
> 
> FWIN,2001/12/22,19:57:38 -8:00 GMT,63.26.74.158:1665,63.137.xx.xx:80,TCP
> (flags:S)
> FWIN,2001/12/22,23:50:12 -8:00 GMT,209.213.211.133:137,63.137.xx.xx:137,UDP
> FWIN,2001/12/23,00:14:44 -8:00 GMT,131.220.233.203:22,63.137.xx.xx:22,TCP
> (flags:S)
> FWIN,2001/12/23,01:43:15 -8:00 GMT,207.33.111.34:4642,63.137.xx.xx:137,UDP
> FWIN,2001/12/23,01:43:25 -8:00 GMT,207.33.111.34:2604,63.137.xx.xx:80,TCP
> (flags:S)
<snip>