Ack sorry, that's what I get for opening my big mouth too soon.
It IS telnet.
What is happening however is NOT a legitimate telnet as far
as I can determine from your logs.
It rather appears to be a portscan on port 23 of selected
hosts in your network.
This is consistent with seeing all entries originate
from the same port (some port scanners work this way).
Mikael Olsson wrote:
>
> The destination port is 23. That's telnet.
> Someone's trying to telnet to you.
> The reason you're seeing several drops is that TCP
> retries its SYN packets a bunch of times if it fails
> to connect.
>
> I'd recommend brushing up on your TCP/IP basics a wee bit.
>
> Jim Smart wrote:
> >
> > Hi,
> >
> > I am wondering if anyone knows what is causing these in our logs ?
> >
> > Sep 23 03:56:18 <> list 100 denied tcp 216.xx.xx.66(47850) ->
> > 203.xx.xx.2(23), 1 packet
> > Sep 23 03:56:19 <> list 100 denied tcp 216.xx.xx.66(47850) ->
> > 203.xx.xx.50(23), 1 packet
> > Sep 23 03:56:20 <> list 100 denied tcp 216.xx.xx.66(47850) ->
> > 203.xx.xx.102(23), 1 packet
> > Sep 23 03:56:21 <> list 100 denied tcp 216.xx.xx.66(47850) ->
> > 203.xx.xx.152(23), 1 packet
> > Sep 23 03:56:22 <> list 100 denied tcp 216.xx.xx.66(47850) ->
> > 203.xx.xx.201(23), 1 packet
> > Sep 23 03:56:23 <> list 100 denied tcp 216.xx.xx.66(47850) ->
> > 203.xx.xx.253(23), 1 packet
> > Sep 23 03:56:23 <> list 100 denied tcp 216.xx.xx.66(47850) ->
> > 203.xx.xx.254(23), 1 packet
> >
> > Observations:
> > - The source port is always the same, and is generally port 47850.
> > - The destination port is always port 23.
> > - It is too quick to be manually done.
> > - The size of the gaps in the address space is variable.
> > - The only continent they have not come from is Africa.
> >
> > I would like to know what is being used to do the job ? why they
> > are happening ? and what may follow ?
> >
> > Thank you in advance,
> >
> > Jim Smart
> > Brisbane, Australia
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
>
> --
> Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
> Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
> WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
