Security Incidents mailing list archives
A few strange scans...
From: Mike.Murray () UTORONTO CA (Murray, Mike)
Date: Sun, 20 Feb 2000 20:53:10 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey all... Have a couple incidents that I'm curious about, and I can't find any explanation for at all... The first is many days of scanning of our Class C on a few weird ports from 193.0.14.129. This belongs to k.root-servers.net. Here's a log snippet... Feb 5 06:40:51 firepower kernel: Packet log: private1 DENY eth0 PROTO=17 193.0.14.129:30974 xxx.xxx.xxx.20:264 L=281 S=0x00 I=37686 F=0x0000 T=49 (#7) Feb 5 06:41:35 firepower kernel: Packet log: private1 DENY eth0 PROTO=17 193.0.14.129:30974 xxx.xxx.xxx.50:264 L=281 S=0x00 I=7912 F=0x0000 T=49 (#7) Feb 5 06:56:43 firepower kernel: Packet log: private1 DENY eth0 PROTO=17 193.0.14.129:30974 xxx.xxx.xxx.20:452 L=471 S=0x00 I=15034 F=0x0000 T=49 (#7) Feb 5 06:57:16 firepower kernel: Packet log: private1 DENY eth0 PROTO=17 193.0.14.129:30974 xxx.xxx.xxx.50:452 L=470 S=0x00 I=40854 F=0x0000 T=49 (#7) Feb 5 06:57:39 firepower kernel: Packet log: private1 DENY eth0 PROTO=17 193.0.14.129:30974 xxx.xxx.xxx.50:132 L=475 S=0x00 I=58041 F=0x0000 T=49 (#7) Feb 5 06:58:29 firepower kernel: Packet log: server1 ACCEPT eth0 PROTO=17 193.0.14.129:30721 xxx.xxx.xxx.20:20 L=472 S=0x00 I=30688 F=0x0000 T=49 (#79) Feb 5 06:59:31 firepower kernel: Packet log: server1 ACCEPT eth0 PROTO=17 193.0.14.129:1120 xxx.xxx.xxx.20:80 L=284 S=0x00 I=15071 F=0x0000 T=49 (#79) Feb 5 07:00:28 firepower kernel: Packet log: private1 DENY eth0 PROTO=17 193.0.14.129:30974 xxx.xxx.xxx.20:456 L=475 S=0x00 I=61751 F=0x0000 T=49 (#7) Feb 5 07:00:43 firepower kernel: Packet log: private1 DENY eth0 PROTO=17 193.0.14.129:30974 xxx.xxx.xxx.20:456 L=475 S=0x00 I=8447 F=0x0000 T=49 (#7) Feb 5 07:02:20 firepower kernel: Packet log: server1 ACCEPT eth0 PROTO=17 193.0.14.129:30974 xxx.xxx.xxx.50:20 L=479 S=0x00 I=31258 F=0x0000 T=49 (#79) Feb 5 07:04:42 firepower kernel: Packet log: server1 ACCEPT eth0 PROTO=17 193.0.14.129:30974 xxx.xxx.xxx.50:20 L=480 S=0x00 I=17387 F=0x0000 T=49 (#79) Feb 5 07:08:13 firepower kernel: Packet log: server1 ACCEPT eth0 PROTO=17 193.0.14.129:1160 xxx.xxx.xxx.50:80 L=281 S=0x00 I=63386 F=0x0000 T=49 (#79) Feb 5 07:24:31 firepower kernel: Packet log: private1 DENY eth0 PROTO=17 193.0.14.129:30974 xxx.xxx.xxx.50:196 L=216 S=0x00 I=7567 F=0x0000 T=49 (#7) Feb 5 07:44:47 firepower kernel: Packet log: private1 DENY eth0 PROTO=17 193.0.14.129:30721 xxx.xxx.xxx.50:24 L=284 S=0x00 I=15566 F=0x0000 T=49 (#7) Feb 5 07:58:14 firepower kernel: Packet log: private1 DENY eth0 PROTO=17 193.0.14.129:30974 xxx.xxx.xxx.50:264 L=281 S=0x00 I=35814 F=0x0000 T=49 (#7) And so on, and so on... Also, we've been seeing probes on some strange ports (31, 36, 104, 261, 413, 461, 576, 770 and 838) and an especially long scan on port 5. Anybody have any ideas and/or know what could be on any of these ports??? Thanks, Mike - ---------------------------------- Message sent on 20-Feb-00 at 20:54:37 Mike Murray Apt 1402 666 Spadina Ave Toronto, ON M5S 2H8 Phone: (416) 323-3160 I can't think of anything pithy to say at all, today. So, I ramble. - ---------------------------------- -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.2 iQA/AwUBOLCa44DBZTHOsqLmEQIa1ACgxKLrXstpq2GClJSR5j7fzLB75CoAoJQQ QLpW+9QyTZCWUOowT0sCE84l =iRy1 -----END PGP SIGNATURE-----
Current thread:
- Not pulling the plug Stephen Friedl (Feb 16)
- Re: Not pulling the plug thomas lakofski (Feb 17)
- Re: Not pulling the plug Robert Graham (Feb 18)
- Re: Not pulling the plug Niles Mills (Feb 18)
- <Possible follow-ups>
- Re: Not pulling the plug Ruth Milner (Feb 18)
- A few strange scans... Murray, Mike (Feb 20)
- Re: Not pulling the plug Miller, Toby (Feb 22)
- Re: Not pulling the plug David Brumley (Feb 23)
- Re: Not pulling the plug thomas lakofski (Feb 17)