Today, I saw in the snort logs the following: (removed ip & date to get it in 78-col format)
193.189.224.13:21 -> ip:58153 UNKNOWN *2*A**S* RESERVEDBITS 193.189.224.13:42940 -> ip:113 SYN 12****S* RESERVEDBITS 193.189.224.13:42941 -> ip:58154 UNKNOWN *2*A**S* RESERVEDBITS 193.189.224.13:42942 -> ip:58155 UNKNOWN *2*A**S* RESERVEDBITS 193.189.224.13:42943 -> ip:58156 UNKNOWN *2*A**S* RESERVEDBITS 193.189.224.13:42944 -> ip:58157 UNKNOWN *2*A**S* RESERVEDBITS 193.189.224.13:42945 -> ip:58158 UNKNOWN *2*A**S* RESERVEDBITS 193.189.224.13:42946 -> ip:58159 UNKNOWN *2*A**S* RESERVEDBITS 193.189.224.13:42947 -> ip:58160 UNKNOWN *2*A**S* RESERVEDBITS 193.189.224.13:42948 -> ip:58161 UNKNOWN *2*A**S* RESERVEDBITS 193.189.224.13:42949 -> ip:58162 UNKNOWN *2*A**S* RESERVEDBITS 193.189.224.13:42950 -> ip:58163 UNKNOWN *2*A**S* RESERVEDBITS 193.189.224.13:42951 -> ip:58164 UNKNOWN *2*A**S* RESERVEDBITS 193.189.224.13:42952 -> ip:58165 UNKNOWN *2*A**S* RESERVEDBITS 193.189.224.13:42953 -> ip:58166 UNKNOWN *2*A**S* RESERVEDBITS 193.189.224.13:42954 -> ip:58167 UNKNOWN *2*A**S* RESERVEDBITS 193.189.224.13:42955 -> ip:58168 UNKNOWN *2*A**S* RESERVEDBITS 193.189.224.13:42956 -> ip:58169 UNKNOWN *2*A**S* RESERVEDBITS 193.189.224.13:42958 -> ip:58170 UNKNOWN *2*A**S* RESERVEDBITS 193.189.224.13:42959 -> ip:58171 UNKNOWN *2*A**S* RESERVEDBITS 193.189.224.13:42960 -> ip:58172 UNKNOWN *2*A**S* RESERVEDBITS 193.189.224.13:42962 -> ip:58173 UNKNOWN *2*A**S* RESERVEDBITS 193.189.224.13:42963 -> ip:58174 UNKNOWN *2*A**S* RESERVEDBITS 193.189.224.13:42965 -> ip:58175 UNKNOWN *2*A**S* RESERVEDBITS 193.189.224.13:42966 -> ip:58176 UNKNOWN *2*A**S* RESERVEDBITS 193.189.224.13:42967 -> ip:58177 UNKNOWN *2*A**S* RESERVEDBITS 193.189.224.13:21 -> ip:58180 UNKNOWN *2*A**S* RESERVEDBITS 193.189.224.13:43074 -> ip:113 SYN 12****S* RESERVEDBITS 143.169.4.111:22 -> ip:22 SYNFIN ******SF 143.169.4.111:4614 -> ip:22 SYN ******S* Is this a so-called ftp-bounce scan? Because it starts every time with a connection from port 21, en next to a bunch of connections on higher ports. These came in bursts, each time for about one minute or so. The source is 'source.rfc822.org' (193.189.224.13). Does this mean their ftp server is misconfigured? Should I warn them about his? Nothing did get through my firewall (and ippl didn't show anything either), so I shouldn't worry about this? Am I right in saying that using ipt_conntrack_ftp doesn't make me more vulnerable to this, as it only opens up for connections going *out* from my machine? Thanks for the info, Dries -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
