Security Incidents mailing list archives
weird scan pattern
From: joe () ITS UNIMELB EDU AU (Joe H)
Date: Mon, 29 May 2000 08:51:13 +1000
Hi all, Does someone know the signature for this "attack"? Note: A. The host mentioned on the right is one of our hosts B. It is not a possible for someone to be running a probe to the remote host ("proxy...") since no one has perms to run services/programs binding to < port 1023 on ourhost (and ourhost has not been r00ted). C. The remote host appears to be a proxy server Is it a user from "proxy..." who thinks that our host is running a web server (which is is'nt)? What appears strange is the almost exact +1 incrementing port numbers from the source ("proxy....") host. May 28 14:47|proxy.library.uq.edu.au|4114|ourhost.ourdomain.au|80 May 28 14:47|proxy.library.uq.edu.au|4115|ourhost.ourdomain.au|80 May 28 14:47|proxy.library.uq.edu.au|4116|ourhost.ourdomain.au|80 May 28 14:47|proxy.library.uq.edu.au|4117|ourhost.ourdomain.au|80 May 28 14:47|proxy.library.uq.edu.au|4120|ourhost.ourdomain.au|80 May 28 14:47|proxy.library.uq.edu.au|4121|ourhost.ourdomain.au|80 May 28 14:47|proxy.library.uq.edu.au|4122|ourhost.ourdomain.au|80 May 28 14:47|proxy.library.uq.edu.au|4124|ourhost.ourdomain.au|80 May 28 14:47|proxy.library.uq.edu.au|4125|ourhost.ourdomain.au|80 May 28 14:47|proxy.library.uq.edu.au|4126|ourhost.ourdomain.au|80 May 28 14:47|proxy.library.uq.edu.au|4127|ourhost.ourdomain.au|80 May 28 14:47|proxy.library.uq.edu.au|4129|ourhost.ourdomain.au|80 May 28 14:47|proxy.library.uq.edu.au|4130|ourhost.ourdomain.au|80 May 28 14:47|proxy.library.uq.edu.au|4133|ourhost.ourdomain.au|80 May 28 14:47|proxy.library.uq.edu.au|4134|ourhost.ourdomain.au|80 May 28 14:47|proxy.library.uq.edu.au|4135|ourhost.ourdomain.au|80 May 28 14:47|proxy.library.uq.edu.au|4137|ourhost.ourdomain.au|80 May 28 14:47|proxy.library.uq.edu.au|4139|ourhost.ourdomain.au|80 May 28 14:47|proxy.library.uq.edu.au|4140|ourhost.ourdomain.au|80 May 28 14:47|proxy.library.uq.edu.au|4141|ourhost.ourdomain.au|80 May 28 14:47|proxy.library.uq.edu.au|4142|ourhost.ourdomain.au|80 May 28 14:47|proxy.library.uq.edu.au|4143|ourhost.ourdomain.au|80 May 28 14:47|proxy.library.uq.edu.au|4144|ourhost.ourdomain.au|80 May 28 14:47|proxy.library.uq.edu.au|4145|ourhost.ourdomain.au|80 May 28 14:47|proxy.library.uq.edu.au|4147|ourhost.ourdomain.au|80 May 28 14:47|proxy.library.uq.edu.au|4149|ourhost.ourdomain.au|80 <<<list goes on and on at a rate of about 200/sec>>> Kind Regards, Joe
Current thread:
- Re: ICMP attack in progress?, (continued)
- Re: ICMP attack in progress? Jason Storm (May 26)
- afs3 exploit?? elijah wright (May 25)
- Strange Happenings @Home Fred Hirsch (May 30)
- AMDROCKS Jim Williams (May 25)
- Attacks on port 25 Vincent Lim (May 25)
- Re: Attacks on port 25 Ryan Russell (May 26)
- Re: Attacks on port 25 Bill Lavalette (May 28)
- Re: Attacks on port 25 RayW (May 29)
- invalid icmp in linux? Eric LeBlanc (May 27)
- Re: invalid icmp in linux? Jose Nazario (May 28)
- weird scan pattern Joe H (May 28)
- Re: weird scan pattern Russell Fulton (May 29)
- IDS: Scan of the week Lance Spitzner (May 30)
- 5 scans of 12345 in a couple of hours. AUSCERT#36349 Russell Fulton (May 31)
- Taiwan server compromise Claudiu Costin (May 26)
- Re: Taiwan server compromise Vortex (May 26)
- port 44767 activity Nathan Fain (May 28)
- Re: AMDROCKS Alejandro (May 26)
- Re: AMDROCKS J. S. Townsley (May 26)
- Re: AMDROCKS Lance Spitzner (May 26)
- Re: AMDROCKS Matthew F. Caldwell (May 26)