Security Incidents mailing list archives
Port-scans from visited web-sites?
From: peter.bates () LSHTM AC UK (Peter Bates)
Date: Wed, 7 Jun 2000 14:19:28 +0100
Hello all... I noticed the following today: Jun 7 13:27:01 www-cache.lshtm.ac.uk snort[632]: spp_portscan: PORTSCAN DETECTE D from 206.251.0.173 Jun 7 13:27:14 www-cache.lshtm.ac.uk snort[632]: spp_portscan: portscan status from 206.251.0.173: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH Jun 7 13:27:19 www-cache.lshtm.ac.uk snort[632]: spp_portscan: End of portscan from 206.251.0.173 Jun 7 13:30:52 www-cache.lshtm.ac.uk snort[632]: spp_portscan: PORTSCAN DETECTE D from 206.251.0.173 Jun 7 13:30:58 www-cache.lshtm.ac.uk snort[632]: spp_portscan: portscan status from 206.251.0.173: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH Jun 7 13:31:04 www-cache.lshtm.ac.uk snort[632]: spp_portscan: End of portscan from 206.251.0.173 Jun 7 13:32:52 www-cache.lshtm.ac.uk snort[632]: spp_portscan: PORTSCAN DETECTE D from 206.251.0.173 Jun 7 13:32:59 www-cache.lshtm.ac.uk snort[632]: spp_portscan: portscan status from 206.251.0.173: 1 connections across 1 hosts: TCP(1), UDP(0) STEALTH Jun 7 13:33:06 www-cache.lshtm.ac.uk snort[632]: spp_portscan: End of portscan from 206.251.0.173 using snort, obviously, and generated from our machine that acts as our site 'web-cache/proxy'... this was followed by about 3/4 other similar 'scans' acknowledged by snort... What interested me was the source of the addresses: LucasArts Entertainment Company (LUCASARTS-DOM) (NETBLK-LOCO-NET-LUCASARTS) PO Box 10307 San Rafael, CA 94912 US Netname: LOCO-NET-LUCASARTS Netblock: 206.251.0.128 - 206.251.0.191 ... has anyone else seen this kind of activity, and can the snort portscan detection be trusted? Thanks.... -- ----------------------------------------------------------------> Peter Bates, Systems Support Officer, Network Support Team. London School of Hygiene & Tropical Medicine. Telephone:0207-927 2124 / Fax:0207-436 5389 / Pager: 07625 255362
Current thread:
- Re: Sub-7, (continued)
- Re: Sub-7 nine (Jun 08)
- Strange scans - inquisitive question Paul Rogers (Jun 09)
- Re: Strange scans - inquisitive question Valdis Kletnieks (Jun 11)
- What is this guy doing? Josh Burroughs (Jun 05)
- Re: What is this guy doing? Sebastien Reister (Jun 08)
- AW: What is this guy doing? Peter Roth (Jun 08)
- Port 6347 Dante Mercurio (Jun 08)
- Re: Port 6347 Brian Macke (Jun 08)
- Re: Port 6347 Henry F. Marquardt (Jun 09)
- Re: What is this guy doing? Greg A. Woods (Jun 08)
- Port-scans from visited web-sites? Peter Bates (Jun 07)
- Re: Port-scans from visited web-sites? Joe McAlerney (Jun 08)
- Re: Port-scans from visited web-sites? Greg A. Woods (Jun 08)
- Re: Port-scans from visited web-sites? Erich Meier (Jun 10)
- scan log Max Gribov (Jun 11)
- Re: scan log Jason Witty (Jun 12)
- FW-1 log analysis tool Chew Poh Chang (CAPL) (Jun 08)
- Re: FW-1 log analysis tool Lance Spitzner (Jun 10)
- Re: FW-1 log analysis tool Kenneth Ish (Jun 11)
- port 12345 scanning Luke Dudney (Jun 11)
- Protocol 54 M J (Jun 07)