Security Incidents mailing list archives
Odd snmp scans from 10.0.0.0/8 address ???
From: r.fulton () AUCKLAND AC NZ (Russell Fulton)
Date: Wed, 26 Apr 2000 17:06:50 +1200
A few days ago we saw a series of scans that varied the 3rd octect of the IP address (see argus logs below). These scans appeared to be part of a much wider scan perhaps all of 130/8 as the scans repeated every couple of hours with a new final octet. Sample argus logs: 23 Apr 00 19:14:45 udp 10.2.16.76.2846 -> 130.216.198.28.161 TIM 23 Apr 00 19:14:45 udp 10.2.16.76.2846 -> 130.216.202.28.161 TIM 23 Apr 00 19:14:45 udp 10.2.16.76.2846 -> 130.216.204.28.161 TIM 23 Apr 00 19:14:45 udp 10.2.16.76.2846 -> 130.216.206.28.161 TIM 23 Apr 00 19:14:45 udp 10.2.16.76.2846 -> 130.216.207.28.161 TIM 23 Apr 00 19:14:45 udp 10.2.16.76.2846 -> 130.216.209.28.161 TIM 23 Apr 00 19:14:45 udp 10.2.16.76.2846 -> 130.216.212.28.161 TIM 23 Apr 00 19:14:45 udp 10.2.16.76.2846 -> 130.216.213.28.161 TIM 23 Apr 00 19:14:45 udp 10.2.16.76.2846 -> 130.216.211.28.161 TIM 23 Apr 00 19:14:45 udp 10.2.16.76.2846 -> 130.216.214.28.161 TIM 23 Apr 00 19:14:45 udp 10.2.16.76.2846 -> 130.216.216.28.161 TIM 23 Apr 00 19:14:45 udp 10.2.16.76.2846 -> 130.216.215.28.161 TIM 23 Apr 00 19:14:45 udp 10.2.16.76.2846 -> 130.216.217.28.161 TIM 23 Apr 00 19:14:45 udp 10.2.16.76.2846 -> 130.216.218.28.161 TIM 23 Apr 00 19:14:45 udp 10.2.16.76.2846 -> 130.216.219.28.161 TIM 23 Apr 00 19:14:45 udp 10.2.16.76.2846 -> 130.216.223.28.161 TIM 23 Apr 00 19:14:45 udp 10.2.16.76.2846 -> 130.216.220.28.161 TIM 23 Apr 00 19:14:45 udp 10.2.16.76.2846 -> 130.216.227.28.161 TIM 23 Apr 00 19:14:45 udp 10.2.16.76.2846 -> 130.216.221.28.161 TIM 23 Apr 00 19:14:45 udp 10.2.16.76.2846 -> 130.216.231.28.161 TIM as you can see they are scanning address 28 in each class C net We saw similiar scans at 2000.04.24:07.11 2000.04.24:05.28 2000.04.24:03.46 2000.04.24:02.04 2000.04.24:00.21 2000.04.23:22.39 2000.04.23:20.57 Each time scanning a new address in each subnet. I have seen such scans before and I think nmap has an option for doing just this so no mystery there but what puzzles me is the source address which is in the range reserved for multicast. Is there anyway anyone could get useful information from this scan? BTW times are UTC +1200 our class B is 130.216/16 Cheers, Russell.
Current thread:
- Re: Rooted through in.identd on Red Hat 6.0, (continued)
- Re: Rooted through in.identd on Red Hat 6.0 Jose Nazario (Apr 21)
- Re: Rooted through in.identd on Red Hat 6.0 Richard Wash (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 J. J. Horner (Apr 20)
- Re: Rooted through in.identd on Red Hat 6.0 Del Elson (Apr 21)
- Re: Rooted through in.identd on Red Hat 6.0 jms (Apr 21)
- !!!Linux ELF infector!!! dEStr0YEr (Apr 21)
- Re: !!!Linux ELF infector!!! John Flux (Apr 24)
- BIND 8.2.2.-P3, 0-day exploit Patrick Oonk (Apr 22)
- Re: BIND 8.2.2.-P3, 0-day exploit Jon Lewis (Apr 24)
- Re: BIND 8.2.2.-P3, 0-day exploit kj (Apr 24)
- Odd snmp scans from 10.0.0.0/8 address ??? Russell Fulton (Apr 25)
- Re: BIND 8.2.2.-P3, 0-day exploit Stone (Apr 26)
- Re: BIND 8.2.2.-P3, 0-day exploit Ryan Russell (Apr 27)
- Re: BIND 8.2.2.-P3, 0-day exploit Patrick Oonk (Apr 27)
- regulary 137 and 524 port scan Cho Yongsang (Apr 27)
- huge scans from www.oix.com jose (Apr 28)
- I am popular today... Dirk Koopman (Apr 28)
- Re: I am popular today... Ryan Sweat (Apr 28)
- Analysis: AboveNet attacks Robert Graham (Apr 28)
- Re: I am popular today... Ville (Apr 29)
- Lots netbios scans (udp 137) Russell Fulton (Apr 30)