[Intrusions] odd probes originating from port 80 to 3669/3666

Gary Hendricks intrusions at project415.org
Tue Jun 22 19:38:51 GMT 2004 

Chaps and chapettes ;-)

I am at wits end with these and has anyone encountered these as well?

The following extract shows some probes that I am not sure what to make of:
They all originate from the same domain but 2 different hosts.
Over a 10 day period I got over 11000 of these (see attached text file)

The firewall is Smoothwall 2 express. I rebuilt the machine in case it was
rootkit'd.
I also disconnected all machines behind the firewall to ensure it was not a
machine soliciting the attention.

I have edited the excerpt so that it looks neat for the purpose of the
question.

Jun 22 20:00:55 echelon kernel: IN=eth1 SRC!7.20.39.48 DST=MY.NET.91.172
ID987 PROTO=TCP SPT€ DPT669
Jun 22 20:00:55 echelon kernel: IN=eth1 SRC!7.20.39.48 DST=MY.NET.91.172
ID051 DF PROTO=TCP SPT€ DPT669
Jun 22 20:01:24 echelon kernel: IN=eth1 SRC!7.20.39.46 DST=MY.NET.91.172
ID1170 PROTO=TCP SPT€ DPT666
Jun 22 20:01:24 echelon kernel: IN=eth1 SRC!7.20.39.46 DST=MY.NET.91.172
ID1188 DF PROTO=TCP SPT€ DPT666
Jun 22 20:05:40 echelon kernel: IN=eth1 SRC!7.20.39.48 DST=MY.NET.91.172
ID300 PROTO=TCP SPT€ DPT669
Jun 22 20:05:40 echelon kernel: IN=eth1 SRC!7.20.39.48 DST=MY.NET.91.172
ID360 DF PROTO=TCP SPT€ DPT669
Jun 22 20:06:09 echelon kernel: IN=eth1 SRC!7.20.39.46 DST=MY.NET.91.172
ID4033 PROTO=TCP SPT€ DPT666
Jun 22 20:06:09 echelon kernel: IN=eth1 SRC!7.20.39.46 DST=MY.NET.91.172
ID4051 DF PROTO=TCP SPT€ DPT666
Jun 22 20:10:25 echelon kernel: IN=eth1 SRC!7.20.39.48 DST=MY.NET.91.172
ID392 PROTO=TCP SPT€ DPT669
Jun 22 20:10:25 echelon kernel: IN=eth1 SRC!7.20.39.48 DST=MY.NET.91.172
ID459 DF PROTO=TCP SPT€ DPT669
Jun 22 20:10:54 echelon kernel: IN=eth1 SRC!7.20.39.46 DST=MY.NET.91.172
ID6864 PROTO=TCP SPT€ DPT666
Jun 22 20:10:54 echelon kernel: IN=eth1 SRC!7.20.39.46 DST=MY.NET.91.172
ID6882 DF PROTO=TCP SPT€ DPT666

%nslookup 217.20.39.46
Name:    osiris-virtualhosts.ehsbrann.com
Address:  217.20.39.46
Aliases:  46.39.20.217.in-addr.arpa

%nslookup 217.20.39.48
Name:    iris-virtualhosts2.ehsbrann.com
Address:  217.20.39.48
Aliases:  48.39.20.217.in-addr.arpa

-Gary

More information about the Intrusions mailing list