[ale] port sentry gone mad
Jonathan Rickman
infosec at alltel.net
Thu Mar 29 18:24:32 EST 2001
On Thu, 29 Mar 2001, Marc Vogt wrote:
> Mar 29 18:10:00 tamarind portsentry[574]: attackalert: Possible
>stealth scan from unknown host to TCP port: 22 (accept failed)
> Mar 29 18:10:30 tamarind last message repeated 57848 times
> Mar 29 18:11:31 tamarind last message repeated 107778 times
> Mar 29 18:12:33 tamarind last message repeated 103242 times
> Mar 29 18:13:33 tamarind last message repeated 109587 times
> Mar 29 18:14:34 tamarind last message repeated 101158 times
> Mar 29 18:15:00 tamarind last message repeated 45402 times
Wow. Try getting a capture of the traffic headed to port 22, and maybe you
can figure out what it is. I seriously doubt it's a real scan. You might
also try turning off portsentry for a bit and using ipchains/tables
(whatever) to log the attempts. You might get more info that way.
--
Jonathan Rickman
X Corps Security
http://www.xcorps.net
--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
More information about the Ale
mailing list