[Dshield] Recent Submission - Possible Firewall Misconfiguration

Johannes Ullrich jullrich at euclidian.com
Wed Oct 8 17:04:20 GMT 2003



Port 113 is used by some servers to verify the user id of the client.
Currently, this is actively used by IRC servers, but many (most?) mail
servers do the same thing, even though there are hardly any clients
these days that respond to these requests.

In your case, it looks odd that 
200.239.53.35 is running a mail server (Microsoft Exchange). 
However, as a 'rogers.com' user, you are unlikely to send any mail
directly to this server. In addition, the mail server should not
initiate port 25 connections to you. You should initiate the port 25
connection, and the mail server may respond with a port 113 connection
(if it feels like it).

The server is running a web server. I don't know any portugese, so I am
not sure what the site is about. But it looks security related.
http://200.239.53.35/


> >I have a question about one of my recent DShield submissions.
> >
> >Source IP: 200.239.53.35
> >Source Port 4733 & 4734 (Twice on each port)
> >Dest Port 113
> >
> >Color coded on DShield as Possible Firewall Misconfiguration
> >
> >However when I check the IP Info there were 11 other 
> submitters
> >seeing similar activity.  Stats were:
> >
> >Total Records Against IP: 244
> >Number of Targets: 11
> >Date Range: 2003-09-13 to 2003-10-07
> >
> >Port            Attacks
> >113             118
> >25                73
> >34409               8
> >35307               6
> >2002                6
> >35393               6
> >1967                6
> >35412               6
> >34410               6
> >2058                6
> >
> >With a number of DShield submitters seeing similar activity
> >from the same IP over this period of time, is this really a
> >"Firewall Misconfiguration"?
> >
> >The hostname associated with this IP was 
> spliff.pangeia.com.br
> >registered to PANGEIA INFORMATICA LTDA in Brazil
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-- 
--------------------------------------------------------------
Johannes Ullrich                     jullrich at euclidian.com
pgp key: http://johannes.homepc.org/PGPKEYS
--------------------------------------------------------------
   "We regret to inform you that we do not enable any of the 
    security functions within the routers that we install."
         support at covad.net
--------------------------------------------------------------





More information about the list mailing list