At 10:16 PM 6/6/99 -0700, Roger Marquis wrote:
>We recently began seeing an interesting pattern of tcp packets, from 6
>unique IPs, none with reverse dns, 5 or 6 packets per src IP to a single
>destination IP, port 7 (echo). These packets are all logged within a few
>seconds of each other which leads me to suspect that most of them could be
>spoofed. The "source" IPs are:
>
>Anyone else seen this traffic pattern?
Yes, as a matter of fact, I detected the same thing. But since it was on
the "echo" port, I didn't think much of it.
Security Violations
=-=-=-=-=-=-=-=-=-=
Jun 7 07:12:07 cardinal klaxon[29514]: ALERT: user [email protected]
accessing port echo
Jun 7 08:19:09 cardinal klaxon[32181]: ALERT: user [email protected]
accessing port echo
Jun 7 08:19:09 cardinal klaxon[32188]: ALERT: user [email protected]
accessing port echo
Jun 7 08:19:09 cardinal klaxon[32170]: ALERT: user [email protected]
accessing port echo
Jun 7 08:19:09 cardinal klaxon[32187]: ALERT: user [email protected]
accessing port echo
Jun 7 08:19:11 cardinal klaxon[32179]: ALERT: user [email protected]
accessing port echo
(I had many more "hits" than that, but all coming from those adresses)
I'd be interested to know what they hope to accomlish on that port?
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
