lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue Jun 13 17:09:18 2006 From: Wu at AUX.UWM.EDU (Jacob Wu) Subject: repeated port 21 attempts They are all non routable 10.x.x.x IPs. This is for a residence hall at my University. Residents, when they first turn on their computers, are given a 10.x.x.x IP and made to register and agree with the network use policy. Once they do that they are given a "real" IP and thus access to the internet. I'm seeing these messages in /var/log/messages when the firewall drops the connections. Example: Jun 13 06:10:48 www kernel: REJECTED INCOMING PACKET IN=eth0 OUT= MAC=00:14:22:0e:a5:21:00:d0:01:4e:c7:fc:08:00 SRC=10.1.187.194 DST=X.X.X.X LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=43812 DF PROTO=TCP SPT=4388 DPT=21 WINDOW=16384 RES=0x00 SYN URGP=0 I'll get 6 of these and then nothing. Then 5 minutes later 6 more. This behavior is repeated by less than half a dozen other computers. Each computer sends 6, waits 5 min and repeat. I only allow ftp connections from a small number of IPs, if it's not in my list I send a "reset connection" packet and disconnect from the client. Someone sent me this link: > Try websnarf: http://www.unixwiz.net/tools/websnarf-1.04 <http://www.unixwiz.net/tools/websnarf-1.04> But it gives me less information than iptables does. -----Original Message----- From: pwnd.security.pwnd [mailto:pwnd.security.pwnd@...il.com <mailto:pwnd.security.pwnd@...il.com> ] Sent: Tuesday, June 13, 2006 7:48 AM To: Jacob Wu Cc: full-disclosure@...ts.grok.org.uk Subject: Re: [Full-disclosure] repeated port 21 attempts On 6/12/06, Jacob Wu <Wu@....uwm.edu> wrote: > I'm getting port 21 connection attempts every 5 minutes from about half a > dozen of my network users. These attempts are repeating regularly with one > computer sending out 1500+ attempts a day. I have not seen this before and > I'm wondering if anyone else here has seen a client behave this way before? > <snip> Send me your source IP's. > > Anyone got anything? Is this something new or just new to me? > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html <http://lists.grok.org.uk/full-disclosure-charter.html> > Hosted and sponsored by Secunia - http://secunia.com/ <http://secunia.com/> > -- pwnd.security.pwnd -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060613/f8fef638/attachment.html
Powered by blists - more mailing lists