Security Incidents mailing list archives
Scan of the Week continued
From: lance () SPITZNER NET (Lance Spitzner)
Date: Sat, 3 Jun 2000 11:42:17 -0500
As several of you may know, I have started the "Scan of the Week" program. Last week was the second week of posting scan signatures. However, we have not yet figured out the tool that created the signatures, so I have kept them posted until we (the security community) can figure it out. Over the past two months various systems have scanned my network for specific ports with the following scan signature. The signatures are similar enough for me to believe that the same tool was used. For more info on both the "Scan of the Week" program and the actual sigs. http://www.enteract.com/~lspitz/papers.html An example of the signatures (this case, scan for 111) 04/17-06:02:32.401307 195.116.152.104:0 -> 172.16.1.107:111 TCP TTL:228 TOS:0x0 ID:30976 **SF**** Seq: 0xCC410000 Ack: 0x0 Win: 0x200 04/17-06:02:32.402027 172.16.1.107:111 -> 195.116.152.104:0 TCP TTL:64 TOS:0x0 ID:6919 DF **S***A* Seq: 0x77BA6506 Ack: 0xCC410001 Win: 0x7FB8 TCP Options => MSS: 536 00 00 .. 04/17-06:02:33.139528 195.116.152.104:0 -> 172.16.1.101:111 TCP TTL:238 TOS:0x0 ID:44926 ****R*** Seq: 0xCC410001 Ack: 0x0 Win: 0x0 Lance Spitzner http://www.enteract.com/~lspitz/papers.html
Current thread:
- Re: Microsoft version.binding us now? Fernando Cardoso (May 30)
- <Possible follow-ups>
- Re: Microsoft version.binding us now? Klaus Steding-Jessen (May 30)
- Re: Microsoft version.binding us now? Bill Marquette (Jun 01)
- Re: Microsoft version.binding us now? Thijs Eilander (May 30)
- Re: Microsoft version.binding us now? Bill Marquette (Jun 01)
- Re: Microsoft version.binding us now? Richard Bejtlich (Jun 02)
- Scan of the Week continued Lance Spitzner (Jun 03)
- very strange scan patterns Joe H (Jun 05)
- Re: very strange scan patterns John Kristoff (Jun 05)
- Sub-7 Khan, Mansoor (Jun 05)
- Re: Sub-7 James Stevenson (Jun 08)
- Re: Sub-7 Matthew F. Caldwell (Jun 08)
- Re: Sub-7 nine (Jun 08)
- Strange scans - inquisitive question Paul Rogers (Jun 09)
- Re: Strange scans - inquisitive question Valdis Kletnieks (Jun 11)
- What is this guy doing? Josh Burroughs (Jun 05)
- Re: What is this guy doing? Sebastien Reister (Jun 08)