[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] port sentry gone mad

Subject: [ale] port sentry gone mad
From: infosec at alltel.net (Jonathan Rickman)
Date: Thu, 29 Mar 2001 18:24:32 -0500 (EST)

On Thu, 29 Mar 2001, Marc Vogt wrote:

> Mar 29 18:10:00 tamarind portsentry[574]: attackalert: Possible
>stealth scan from unknown host to TCP port: 22 (accept failed)
> Mar 29 18:10:30 tamarind last message repeated 57848 times
> Mar 29 18:11:31 tamarind last message repeated 107778 times
> Mar 29 18:12:33 tamarind last message repeated 103242 times
> Mar 29 18:13:33 tamarind last message repeated 109587 times
> Mar 29 18:14:34 tamarind last message repeated 101158 times
> Mar 29 18:15:00 tamarind last message repeated 45402 times

Wow. Try getting a capture of the traffic headed to port 22, and maybe you
can figure out what it is. I seriously doubt it's a real scan. You might
also try turning off portsentry for a bit and using ipchains/tables
(whatever) to log the attempts. You might get more info that way.

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net

--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.

Prev by Date: [ale] port sentry gone mad
Next by Date: [ale] port sentry gone mad
Previous by thread: [ale] port sentry gone mad
Next by thread: [ale] port sentry gone mad
Index(es):
- Date
- Thread