[Dshield] Here's something you don't see every day

Josh Beckett josh at theoubliette.net
Thu Oct 3 03:29:58 GMT 2002


Here's something you don't see every day, or maybe you do, but I have
been doing security for a while and it caught my eye amid all the 443
scans of late.

 

If anyone's interested, I'm sure I could dig a bit more detail from the
real log, rather than this snippit that is mailed to me from portsentry.

 

This server in question has various common services on it, all
reasonably secured.

 

As I don't tend to keep every port memorized, I looked this one up on:

 

http://www.iss.net/security_center/advice/Exploits/Ports/

 

MTP.but my mail services only use smtp (for outside) and pop3 (for
internal clients) 

 

Normally, I wouldn't think much of it, but I saw another in a relatively
short period of time (at least for my little server that only sees a few
scans an hour) from a different host.

 

Yes, know how to track them down, that's not the point.  I rarely see
port 57 is the thing.

 

Any thoughts?  Anyone else seeing this apparently little used port?

 

Josh

 

***alert snippit***

Active System Attack Alerts

=-=-=-=-=-=-=-=-=-=-=-=-=-=

Sep 29 12:06:27 bacchus portsentry[659]: attackalert: TCP SYN/Normal
scan from host: 63-200-149-16.ded.pacbell.net/63.200.149.16 to TCP port:
57 

Sep 29 12:06:27 bacchus portsentry[659]: attackalert: Host 63.200.149.16
has been blocked via wrappers with string: "ALL: 63.200.149.16" 

Sep 29 12:06:27 bacchus portsentry[659]: attackalert: Host 63.200.149.16
has been blocked via dropped route using command: "/sbin/ipchains -I
input -s 63.200.149.16 -j DENY -l"

 

Active System Attack Alerts

=-=-=-=-=-=-=-=-=-=-=-=-=-=

Sep 28 06:22:52 bacchus portsentry[659]: attackalert: TCP SYN/Normal
scan from host: 80.135.246.20/80.135.246.20 to TCP port: 57 

Sep 28 06:22:52 bacchus portsentry[659]: attackalert: Host 80.135.246.20
has been blocked via wrappers with string: "ALL: 80.135.246.20" 

Sep 28 06:22:52 bacchus portsentry[659]: attackalert: Host 80.135.246.20
has been blocked via dropped route using command: "/sbin/ipchains -I
input -s 80.135.246.20 -j DENY -l" 

Sep 28 06:22:52 bacchus portsentry[659]: attackalert: TCP SYN/Normal
scan from host: p5087F614.dip.t-dialin.net/80.135.246.20 to TCP port: 57


Sep 28 06:22:52 bacchus portsentry[659]: attackalert: Host:
p5087F614.dip.t-dialin.net/80.135.246.20 is already blocked Ignoring 

Sep 28 06:22:52 bacchus portsentry[659]: attackalert: TCP SYN/Normal
scan from host: p5087F614.dip.t-dialin.net/80.135.246.20 to TCP port: 57


Sep 28 06:22:52 bacchus portsentry[659]: attackalert: Host:
p5087F614.dip.t-dialin.net/80.135.246.20 is already blocked Ignoring

 

***end alert snippit***

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/list/attachments/20021002/47d9d376/attachment.htm


More information about the list mailing list