Security Incidents mailing list archives

weird scan pattern

From: joe () ITS UNIMELB EDU AU (Joe H)
Date: Mon, 29 May 2000 08:51:13 +1000


Hi all,
Does someone know the signature for this "attack"?
Note:
A. The host mentioned on the right is one of our hosts
B. It is not a possible for someone to be running a probe
   to the remote host ("proxy...") since no one has perms to
   run services/programs binding to < port 1023 on ourhost
   (and ourhost has not been r00ted).
C. The remote host appears to be a proxy server

Is it a user from "proxy..." who thinks that our host is running a
web server (which is is'nt)? What appears strange is the almost
exact +1 incrementing port numbers from the source ("proxy....") host.

May 28 14:47|proxy.library.uq.edu.au|4114|ourhost.ourdomain.au|80
May 28 14:47|proxy.library.uq.edu.au|4115|ourhost.ourdomain.au|80
May 28 14:47|proxy.library.uq.edu.au|4116|ourhost.ourdomain.au|80
May 28 14:47|proxy.library.uq.edu.au|4117|ourhost.ourdomain.au|80
May 28 14:47|proxy.library.uq.edu.au|4120|ourhost.ourdomain.au|80
May 28 14:47|proxy.library.uq.edu.au|4121|ourhost.ourdomain.au|80
May 28 14:47|proxy.library.uq.edu.au|4122|ourhost.ourdomain.au|80
May 28 14:47|proxy.library.uq.edu.au|4124|ourhost.ourdomain.au|80
May 28 14:47|proxy.library.uq.edu.au|4125|ourhost.ourdomain.au|80
May 28 14:47|proxy.library.uq.edu.au|4126|ourhost.ourdomain.au|80
May 28 14:47|proxy.library.uq.edu.au|4127|ourhost.ourdomain.au|80
May 28 14:47|proxy.library.uq.edu.au|4129|ourhost.ourdomain.au|80
May 28 14:47|proxy.library.uq.edu.au|4130|ourhost.ourdomain.au|80
May 28 14:47|proxy.library.uq.edu.au|4133|ourhost.ourdomain.au|80
May 28 14:47|proxy.library.uq.edu.au|4134|ourhost.ourdomain.au|80
May 28 14:47|proxy.library.uq.edu.au|4135|ourhost.ourdomain.au|80
May 28 14:47|proxy.library.uq.edu.au|4137|ourhost.ourdomain.au|80
May 28 14:47|proxy.library.uq.edu.au|4139|ourhost.ourdomain.au|80
May 28 14:47|proxy.library.uq.edu.au|4140|ourhost.ourdomain.au|80
May 28 14:47|proxy.library.uq.edu.au|4141|ourhost.ourdomain.au|80
May 28 14:47|proxy.library.uq.edu.au|4142|ourhost.ourdomain.au|80
May 28 14:47|proxy.library.uq.edu.au|4143|ourhost.ourdomain.au|80
May 28 14:47|proxy.library.uq.edu.au|4144|ourhost.ourdomain.au|80
May 28 14:47|proxy.library.uq.edu.au|4145|ourhost.ourdomain.au|80
May 28 14:47|proxy.library.uq.edu.au|4147|ourhost.ourdomain.au|80
May 28 14:47|proxy.library.uq.edu.au|4149|ourhost.ourdomain.au|80

<<<list goes on and on at a rate of about 200/sec>>>

Kind Regards,
Joe

Current thread:

Re: ICMP attack in progress?, (continued)
- - - Re: ICMP attack in progress? Jason Storm (May 26)
  - afs3 exploit?? elijah wright (May 25)
    - Strange Happenings @Home Fred Hirsch (May 30)
  - AMDROCKS Jim Williams (May 25)
    - Attacks on port 25 Vincent Lim (May 25)
    - Re: Attacks on port 25 Ryan Russell (May 26)
    - Re: Attacks on port 25 Bill Lavalette (May 28)
    - Re: Attacks on port 25 RayW (May 29)
    - invalid icmp in linux? Eric LeBlanc (May 27)
    - Re: invalid icmp in linux? Jose Nazario (May 28)
    - weird scan pattern Joe H (May 28)
    - Re: weird scan pattern Russell Fulton (May 29)
    - IDS: Scan of the week Lance Spitzner (May 30)
    - 5 scans of 12345 in a couple of hours. AUSCERT#36349 Russell Fulton (May 31)
    - Taiwan server compromise Claudiu Costin (May 26)
    - Re: Taiwan server compromise Vortex (May 26)
    - port 44767 activity Nathan Fain (May 28)
    - Re: AMDROCKS Alejandro (May 26)
    - Re: AMDROCKS J. S. Townsley (May 26)
    - Re: AMDROCKS Lance Spitzner (May 26)
    - Re: AMDROCKS Matthew F. Caldwell (May 26)

(Thread continues...)