Security Incidents mailing list archives
Interesting scan
From: Bruce Parkinson <bruce.parkinson () PAVTECH CO NZ>
Date: Tue, 27 Feb 2001 10:20:47 +1300
Hi folks, I received this scan on my home PC. I've never seen one like this before - anyone seen a tool to do this? Logs are from an OpenBSD/ipfilter combo - xx.xx.xx.xx is his IP address, yy.yy.yy.yy is my IP address, time is local. Scan came from a dialup port at another ISP. Our servers here at work didn't receive the same scan, suggesting either a targetted scan or a random class C. Feb 23 20:29:20 gw ipmon[7532]: 20:29:19.913156 tun0 @0:32 p xx.xx.xx.xx -> yy.yy.yy.yy PR icmp len 20 16384 icmp 8/0 Feb 23 20:29:22 gw ipmon[7532]: 20:29:21.973737 tun0 @0:34 b xx.xx.xx.xx,2234 -> yy.yy.yy.yy,8080 PR tcp len 20 48 -S Feb 23 20:29:23 gw ipmon[7532]: 20:29:22.861788 tun0 @0:34 b xx.xx.xx.xx,2235 -> yy.yy.yy.yy,80 PR tcp len 20 48 -S Feb 23 20:29:23 gw ipmon[7532]: 20:29:22.971033 tun0 @0:34 b xx.xx.xx.xx,2236 -> yy.yy.yy.yy,8000 PR tcp len 20 48 -S Feb 23 20:29:24 gw ipmon[7532]: 20:29:23.413716 tun0 @0:34 b xx.xx.xx.xx,2238 -> yy.yy.yy.yy,8888 PR tcp len 20 48 -S Feb 23 20:29:24 gw ipmon[7532]: 20:29:23.459050 tun0 @0:34 b xx.xx.xx.xx,2239 -> yy.yy.yy.yy,10080 PR tcp len 20 48 -S Feb 23 20:29:24 gw ipmon[7532]: 20:29:23.482886 tun0 @0:34 b xx.xx.xx.xx,2240 -> yy.yy.yy.yy,81 PR tcp len 20 48 -S Feb 23 20:29:24 gw ipmon[7532]: 20:29:23.487500 tun0 @0:34 b xx.xx.xx.xx,2241 -> yy.yy.yy.yy,3128 PR tcp len 20 48 -S Feb 23 20:29:24 gw ipmon[7532]: 20:29:23.610026 tun0 @0:34 b xx.xx.xx.xx,2243 -> yy.yy.yy.yy,23 PR tcp len 20 48 -S Feb 23 20:29:24 gw ipmon[7532]: 20:29:23.620811 tun0 @0:34 b xx.xx.xx.xx,2242 -> yy.yy.yy.yy,1080 PR tcp len 20 48 -S Feb 23 20:29:24 gw ipmon[7532]: 20:29:23.634191 tun0 @0:34 b xx.xx.xx.xx,2244 -> yy.yy.yy.yy,21 PR tcp len 20 48 -S Feb 23 20:29:25 gw ipmon[7532]: 20:29:24.997069 tun0 @0:34 b xx.xx.xx.xx,2234 -> yy.yy.yy.yy,8080 PR tcp len 20 48 -S Feb 23 20:29:26 gw ipmon[7532]: 20:29:25.831763 tun0 @0:34 b xx.xx.xx.xx,2235 -> yy.yy.yy.yy,80 PR tcp len 20 48 -S Feb 23 20:29:26 gw ipmon[7532]: 20:29:25.890461 tun0 @0:34 b xx.xx.xx.xx,2236 -> yy.yy.yy.yy,8000 PR tcp len 20 48 -S Feb 23 20:29:27 gw ipmon[7532]: 20:29:26.339200 tun0 @0:34 b xx.xx.xx.xx,2238 -> yy.yy.yy.yy,8888 PR tcp len 20 48 -S Feb 23 20:29:27 gw ipmon[7532]: 20:29:26.427043 tun0 @0:34 b xx.xx.xx.xx,2241 -> yy.yy.yy.yy,3128 PR tcp len 20 48 -S Feb 23 20:29:27 gw ipmon[7532]: 20:29:26.461000 tun0 @0:34 b xx.xx.xx.xx,2240 -> yy.yy.yy.yy,81 PR tcp len 20 48 -S Feb 23 20:29:27 gw ipmon[7532]: 20:29:26.474311 tun0 @0:34 b xx.xx.xx.xx,2239 -> yy.yy.yy.yy,10080 PR tcp len 20 48 -S Feb 23 20:29:27 gw ipmon[7532]: 20:29:26.540992 tun0 @0:34 b xx.xx.xx.xx,2243 -> yy.yy.yy.yy,23 PR tcp len 20 48 -S Feb 23 20:29:27 gw ipmon[7532]: 20:29:26.557039 tun0 @0:34 b xx.xx.xx.xx,2242 -> yy.yy.yy.yy,1080 PR tcp len 20 48 -S Feb 23 20:29:27 gw ipmon[7532]: 20:29:26.565064 tun0 @0:34 b xx.xx.xx.xx,2244 -> yy.yy.yy.yy,21 PR tcp len 20 48 -S Feb 23 20:29:33 gw ipmon[7532]: 20:29:32.600511 tun0 @0:34 b xx.xx.xx.xx,2243 -> yy.yy.yy.yy,23 PR tcp len 20 48 -S Feb 23 20:29:42 gw ipmon[7532]: 20:29:41.440641 tun0 @0:34 b xx.xx.xx.xx,2246 -> yy.yy.yy.yy,1080 PR tcp len 20 48 -S Feb 23 20:29:45 gw ipmon[7532]: 20:29:44.480546 tun0 @0:34 b xx.xx.xx.xx,2246 -> yy.yy.yy.yy,1080 PR tcp len 20 48 -S Comments welcome. Thanks, Bruce ------------------------------------------------------- Bruce Parkinson Phone +64 7 838-2010 Systems Administrator Fax +64 7 838-0977 PavTech NZ Ltd & Mobile +64 25 545-142 Wave Internet bruce.parkinson () pavtech co nz PO Box 935, WMC Hamilton http://www.pavtech.co.nz/ NEW ZEALAND http://www.wave.co.nz/ NOTICE: The information contained in this electronic mail message and any attachments is confidential to Pavilion Technologies, Inc. or one of its subsidiaries and may contain proprietary information or be legally privileged. This message and any attachments are intended only for the personal and confidential use of the designated recipient(s). If you are not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have recieved this message in error, and that any review, dissemination, distribution or copying of this message and any attachments is unauthorized and strictly prohibited. If you have received this message in error, please notify me immediately by telephone and electronic mail, and delete this message, any attachments, and all copies thereof. Thank you very much
Current thread:
- Interesting scan Booth, David CWT-MSP (Feb 19)
- <Possible follow-ups>
- Re: Interesting scan Dave Booth (Feb 20)
- Re: Interesting scan Brian Engle (Feb 20)
- Interesting scan Bruce Parkinson (Feb 27)
- Re: Interesting scan Daniel Martin (Feb 27)