From owner-freebsd-security Mon May 17 14: 2:10 1999 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id C4C8F156CC for ; Mon, 17 May 1999 14:02:06 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id OAA29710 for ; Mon, 17 May 1999 14:03:52 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda29704; Mon May 17 14:03:44 1999 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.9.3/8.9.1) id OAA29759 for ; Mon, 17 May 1999 14:01:57 -0700 (PDT) Message-Id: <199905172101.OAA29759@passer.osg.gov.bc.ca> Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost.osg.gov.bc.ca, id smtpdu29752; Mon May 17 14:01:54 1999 X-Mailer: exmh version 2.0.2 2/24/98 Reply-To: Cy Schubert - ITSD Open Systems Group X-OS: FreeBSD 3.1-RELEASE X-Sender: cschuber To: freebsd-security@freebsd.org Subject: Interesting Attack Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 17 May 1999 14:01:54 -0700 From: Cy Schubert Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm seeing a number of packets from sites around the Internet to port 1096. What service lives on port 1096? Has anyone seen this before? I did change my firewall rules in response to the ACK+RST probes discussed on BUGTRAQ and here to catch this kind of activity. May 12 22:40:58 friendly.system /kernel: ipfw: 65534 Deny TCP 24.93.100.204:0 1.2.3.4:1096 in via xl0 May 13 02:26:03 friendly.system /kernel: ipfw: 65534 Deny TCP 207.76.224.149:113 1.2.3.4:1096 in via xl0 May 13 19:56:51 friendly.system /kernel: ipfw: 65534 Deny TCP 207.154.210.5:6667 1.2.3.4:1096 in via xl0 May 13 19:56:51 friendly.system /kernel: ipfw: 65534 Deny TCP 207.154.210.5:6667 1.2.3.4:1096 in via xl0 May 14 20:15:13 friendly.system /kernel: ipfw: 65534 Deny TCP 129.11.116.121:2 1.2.3.4:1096 in via xl0 May 15 00:20:08 friendly.system /kernel: ipfw: 65534 Deny TCP 207.240.152.35:0 1.2.3.4:1096 in via xl0 May 15 00:20:33 friendly.system /kernel: ipfw: 65534 Deny TCP 207.240.152.35:0 1.2.3.4:1096 in via xl0 May 15 00:56:01 friendly.system /kernel: ipfw: 65534 Deny TCP 24.94.50.65:139 1.2.3.4:1096 in via xl0 May 15 00:56:03 friendly.system /kernel: ipfw: 65534 Deny TCP 24.94.50.65:139 1.2.3.4:1096 in via xl0 May 15 02:33:56 friendly.system /kernel: ipfw: 65534 Deny TCP 159.138.5.1:46643 1.2.3.4:1096 in via xl0 May 15 12:25:51 friendly.system /kernel: ipfw: 65534 Deny TCP 200.33.78.3:23 1.2.3.4:1096 in via xl0 May 15 12:54:38 friendly.system /kernel: ipfw: 65534 Deny TCP 200.33.78.3:23 1.2.3.4:1096 in via xl0 May 15 16:06:06 friendly.system /kernel: ipfw: 65534 Deny TCP 167.205.22.114:23 1.2.3.4:1096 in via xl0 May 15 16:06:06 friendly.system /kernel: ipfw: 65534 Deny TCP 167.205.22.114:23 1.2.3.4:1096 in via xl0 May 15 21:24:49 friendly.system /kernel: ipfw: 65534 Deny TCP 192.148.248.24:2 1.2.3.4:1096 in via xl0 May 15 21:33:22 friendly.system /kernel: ipfw: 65534 Deny TCP 192.148.248.24:23 1.2.3.4:1096 in via xl0 May 15 21:33:23 friendly.system /kernel: ipfw: 65534 Deny TCP 192.148.248.24:23 1.2.3.4:1096 in via xl0 May 15 22:47:50 friendly.system /kernel: ipfw: 65534 Deny TCP 207.229.143.42:22 1.2.3.4:1096 in via xl0 May 15 22:47:50 friendly.system /kernel: ipfw: 65534 Deny TCP 207.229.143.42:22 1.2.3.4:1096 in via xl0 May 16 00:18:08 friendly.system /kernel: ipfw: 65534 Deny TCP 209.54.43.135:23 1.2.3.4:1096 in via xl0 May 16 00:18:08 friendly.system /kernel: ipfw: 65534 Deny TCP 209.54.43.135:23 1.2.3.4:1096 in via xl0 May 16 00:34:48 friendly.system /kernel: ipfw: 65534 Deny TCP 208.201.224.36:113 1.2.3.4:1096 in via xl0 May 16 00:34:49 friendly.system /kernel: ipfw: 65534 Deny TCP 208.201.224.36:113 1.2.3.4:1096 in via xl0 May 16 11:39:32 friendly.system /kernel: ipfw: 65534 Deny TCP 203.37.45.2:6667 1.2.3.4:1096 in via xl0 May 16 13:04:42 friendly.system /kernel: ipfw: 65534 Deny TCP 203.37.45.2:6667 1.2.3.4:1096 in via xl0 May 16 14:46:57 friendly.system /kernel: ipfw: 65534 Deny TCP 209.224.60.180:23 1.2.3.4:1096 in via xl0 May 16 14:47:36 friendly.system /kernel: ipfw: 65534 Deny TCP 209.224.60.180:23 1.2.3.4:1096 in via xl0 May 16 17:51:34 friendly.system /kernel: ipfw: 65534 Deny TCP 207.96.57.242:113 1.2.3.4:1096 in via xl0 May 16 18:26:58 friendly.system /kernel: ipfw: 65534 Deny TCP 24.1.187.156:0 1.2.3.4:1096 in via xl0 May 16 18:27:49 friendly.system /kernel: ipfw: 65534 Deny TCP 24.1.187.156:0 1.2.3.4:1096 in via xl0 May 16 23:41:46 friendly.system /kernel: ipfw: 65534 Deny TCP 208.133.73.83:6667 1.2.3.4:1096 in via xl0 May 16 23:41:46 friendly.system /kernel: ipfw: 65534 Deny TCP 208.133.73.83:6667 1.2.3.4:1096 in via xl0 May 17 13:05:19 friendly.system /kernel: ipfw: 65534 Deny TCP 24.64.167.106:139 1.2.3.4:1096 in via xl0 Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Open Systems Group Internet: Cy.Schubert@uumail.gov.bc.ca ITSD Cy.Schubert@gems8.gov.bc.ca Province of BC "e**(i*pi)+1=0" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message