Date: Wed, 13 Jun 2001 19:02:51 +0100 From: David Goddard <dmg@procopia.com> To: freebsd-security@freebsd.org Subject: Odd source IP for a scan Message-ID: <3B27AACB.D8BC13F@procopia.com>
next in thread | raw e-mail | index | archive | help
Hi, This isn't as such a FreeBSD thing, but I picked up some odd entries in a security log recently: root@cerebus% grep 66.22.30.76 /var/log/security Jun 11 23:23:28 cerebus /kernel: ipfw: 19300 Deny TCP 66.22.30.76:3303 194.222.X.X:27374 in via tun0 Jun 11 23:23:28 cerebus /kernel: ipfw: 19300 Deny TCP 66.22.30.76:3304 194.222.X.X:12345 in via tun0 Jun 11 23:23:28 cerebus /kernel: ipfw: 19300 Deny TCP 66.22.30.76:3305 194.222.X.X:139 in via tun0 Jun 11 23:23:28 cerebus /kernel: ipfw: 19300 Deny TCP 66.22.30.76:3304 194.222.X.X:12345 in via tun0 Jun 11 23:23:28 cerebus /kernel: ipfw: 19300 Deny TCP 66.22.30.76:3305 194.222.X.X:139 in via tun0 Jun 11 23:23:28 cerebus /kernel: ipfw: 19300 Deny TCP 66.22.30.76:3303 194.222.X.X:27374 in via tun0 Jun 11 23:23:28 cerebus /kernel: ipfw: 19300 Deny TCP 66.22.30.76:3304 194.222.X.X:12345 in via tun0 Jun 11 23:23:28 cerebus /kernel: ipfw: 19300 Deny TCP 66.22.30.76:3305 194.222.X.X:139 in via tun0 Jun 11 23:23:28 cerebus /kernel: ipfw: 19300 Deny TCP 66.22.30.76:3303 194.222.X.X:27374 in via tun0 66.22.30.76 resolves to host.domain.com - my guess is that it's some hacking tool and the script kiddie has not bothered to change the spoofing from the default. However, if they're just probing then they are surely not going to get much info back that way.. Has anyone seen anything similar? Cheers, Dave To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B27AACB.D8BC13F>