Security Incidents mailing list archives
Re: Scan of ports 100 and 510
From: Sean Brown <srbrown () APPGEO COM>
Date: Mon, 27 Nov 2000 19:00:48 -0500
Len, I 've got a correlation on this traffic though the src address is different. My logs are GMT-5. Nov 26 19:31:27 <host> kernel: Packet log: bad-if REJECT eth0 PROTO=6 208.196.45.139:510 x.y.z.101:400 L=40 S=0x00 I=2162 F=0x0000 T=245 SYN (#39) Nov 26 19:31:30 <host> kernel: Packet log: bad-if REJECT eth0 PROTO=6 208.196.45.139:510 x.y.z.102:400 L=40 S=0x00 I=6261 F=0x0000 T=245 SYN (#39) ...throughout my subnet. -Sean Len Burns wrote:
Hi, Earlier this evening, I observed the following scan of most of our class C subnets: Nov 26 17:45:12 208.185.167.115:510 -> xxx.xxx.xxx.240:100 SYN ******S* And then 2 hours later: Nov 26 19:45:11 208.185.167.115:510 -> xxx.xxx.xxx.240:510 SYN ******S* (Logs in GMT-800) Researching this a bit all I could find is newacct 100/tcp unauthorized use fcp 510/tcp FirstClass Protocol I am not grasping the significance. Thoughts? -Len
-- ~~~~~~~~~~~~~~~ Sean R. Brown - srbrown () appgeo com System Administrator Applied Geographics, Inc. Boston, MA
Current thread:
- Scan of ports 100 and 510 Len Burns (Nov 28)
- Re: Scan of ports 100 and 510 Sean Brown (Nov 29)