Security Incidents mailing list archives
Port 111 Scans (odd single IP# probes too)
From: Bryan Andersen <bryan () visi com>
Date: Wed, 14 Mar 2001 01:43:03 -0600
Chris Schuler wrote:
anyone else seeing port 111/rpc scans from this ip? 211.185.160.193 Ive seen at least two walks of my ip address space by this host. Mar 13 09:45:08 211.185.160.193:4671 -> xxx.xxx.xxx.xxx:111 SYN ******S* Mar 13 09:45:08 211.185.160.193:4670 -> xxx.xxx.xxx.xxx:111 SYN ******S* Mar 13 09:45:08 211.185.160.193:4672 -> xxx.xxx.xxx.xxx:111 SYN ******S* ...
No, but I have from a bunch of other IP#s. It seams like a lot of them lately. This is just from Mar 5th till now. I also find the number of single *.17 probes interesting. For each of the single probes this was the only activity seen from that */16 net with one exception that had web activity for a different IP# on a different day. Dates and times are US/Central, -500. Output is tcpdump. File tcp.2001-03-05_06:03:39.gz ------------------------ 06:07:24.543582 210.0.140.2.2961 > *.16.111: S 1350150974:1350150974(0) win 32120 <mss 1460,sackOK,timestamp 2439002 0,nop,wscale 0> (DF) 06:07:24.544879 210.0.140.2.2962 > *.17.111: S 1349617676:1349617676(0) win 32120 <mss 1460,sackOK,timestamp 2439002 0,nop,wscale 0> (DF) 06:07:24.546376 210.0.140.2.2964 > *.19.111: S 1358368956:1358368956(0) win 32120 <mss 1460,sackOK,timestamp 2439002 0,nop,wscale 0> (DF) File tcp.2001-03-05_16:00:01.gz ------------------------ 16:50:20.063618 57.66.15.3.2451 > *.17.111: S 692114147:692114147(0) win 32120 <mss 1460,sackOK,timestamp 65274700 0,nop,wscale 0> (DF) File tcp.2001-03-05_20:00:01.gz ------------------------ 20:56:08.357111 138.100.124.208.1527 > *.16.111: S 3604836085:3604836085(0) win 32120 <mss 1460,sackOK,timestamp 4950704 0,nop,wscale 0> (DF) 20:56:08.602220 138.100.124.208.1528 > *.17.111: S 3605504737:3605504737(0) win 32120 <mss 1460,sackOK,timestamp 4950704 0,nop,wscale 0> (DF) 20:56:08.609674 138.100.124.208.1530 > *.19.111: S 3605790791:3605790791(0) win 32120 <mss 1460,sackOK,timestamp 4950704 0,nop,wscale 0> (DF) 20:56:11.183019 138.100.124.208.1528 > *.17.111: S 3605504737:3605504737(0) win 32120 <mss 1460,sackOK,timestamp 4951004 0,nop,wscale 0> (DF) 20:56:11.184461 138.100.124.208.1530 > *.19.111: S 3605790791:3605790791(0) win 32120 <mss 1460,sackOK,timestamp 4951004 0,nop,wscale 0> (DF) 20:56:11.185647 138.100.124.208.1527 > *.16.111: S 3604836085:3604836085(0) win 32120 <mss 1460,sackOK,timestamp 4951004 0,nop,wscale 0> (DF) File tcp.2001-03-06_11:00:01.gz ------------------------ 11:52:17.543331 211.20.96.109.765 > *.16.111: S 2745833423:2745833423(0) win 16060 <mss 1460,sackOK,timestamp 73530420 0,nop,wscale 0> (DF) 11:52:17.559887 211.20.96.109.766 > *.17.111: S 2751743162:2751743162(0) win 16060 <mss 1460,sackOK,timestamp 73530423 0,nop,wscale 0> (DF) 11:52:17.587212 211.20.96.109.768 > *.19.111: S 2739880437:2739880437(0) win 16060 <mss 1460,sackOK,timestamp 73530428 0,nop,wscale 0> (DF) 11:52:20.438161 211.20.96.109.765 > *.16.111: S 2745833423:2745833423(0) win 16060 <mss 1460,sackOK,timestamp 73530720 0,nop,wscale 0> (DF) 11:52:20.448115 211.20.96.109.766 > *.17.111: S 2751743162:2751743162(0) win 16060 <mss 1460,sackOK,timestamp 73530723 0,nop,wscale 0> (DF) 11:52:20.515802 211.20.96.109.768 > *.19.111: S 2739880437:2739880437(0) win 16060 <mss 1460,sackOK,timestamp 73530728 0,nop,wscale 0> (DF) File tcp.2001-03-06_18:00:20.gz ------------------------ 18:12:51.287612 63.237.170.8.4001 > *.17.111: S 345196125:345196125(0) win 32120 <mss 1460,sackOK,timestamp 8516589 0,nop,wscale 0> (DF) File tcp.2001-03-06_20:00:47.gz ------------------------ 20:21:29.548384 4.33.199.246.2413 > *.16.111: S 4257382697:4257382697(0) win 32120 <mss 1460,sackOK,timestamp 52197010 0,nop,wscale 0> (DF) File tcp.2001-03-06_22:00:16.gz ------------------------ 22:09:15.144595 24.27.244.122.2415 > *.16.111: S 2142110321:2142110321(0) win 32120 <mss 1460,sackOK,timestamp 3231310 0,nop,wscale 0> (DF) 22:09:15.145898 24.27.244.122.2416 > *.17.111: S 2147217323:2147217323(0) win 32120 <mss 1460,sackOK,timestamp 3231310 0,nop,wscale 0> (DF) 22:09:15.147396 24.27.244.122.2418 > *.19.111: S 2153850690:2153850690(0) win 32120 <mss 1460,sackOK,timestamp 3231310 0,nop,wscale 0> (DF) 22:09:17.896265 24.27.244.122.2415 > *.16.111: S 2142110321:2142110321(0) win 32120 <mss 1460,sackOK,timestamp 3231610 0,nop,wscale 0> (DF) 22:09:17.897609 24.27.244.122.2416 > *.17.111: S 2147217323:2147217323(0) win 32120 <mss 1460,sackOK,timestamp 3231610 0,nop,wscale 0> (DF) 22:09:17.900415 24.27.244.122.2418 > *.19.111: S 2153850690:2153850690(0) win 32120 <mss 1460,sackOK,timestamp 3231610 0,nop,wscale 0> (DF) 22:09:23.768779 24.27.244.122.2415 > *.16.111: S 2142110321:2142110321(0) win 32120 <mss 1460,sackOK,timestamp 3232210 0,nop,wscale 0> (DF) 22:09:23.770119 24.27.244.122.2416 > *.17.111: S 2147217323:2147217323(0) win 32120 <mss 1460,sackOK,timestamp 3232210 0,nop,wscale 0> (DF) 22:09:23.805347 24.27.244.122.2418 > *.19.111: S 2153850690:2153850690(0) win 32120 <mss 1460,sackOK,timestamp 3232210 0,nop,wscale 0> (DF) File tcp.2001-03-07_14:01:15.gz ------------------------ 14:51:47.682161 211.174.179.233.2617 > *.16.111: S 1286938356:1286938356(0) win 32120 <mss 1460,sackOK,timestamp 144922346 0,nop,wscale 0> (DF) 14:51:47.683475 211.174.179.233.2618 > *.17.111: S 1279339279:1279339279(0) win 32120 <mss 1460,sackOK,timestamp 144922346 0,nop,wscale 0> (DF) 14:51:47.686269 211.174.179.233.2620 > *.19.111: S 1273981360:1273981360(0) win 32120 <mss 1460,sackOK,timestamp 144922346 0,nop,wscale 0> (DF) File tcp.2001-03-08_03:00:03.gz ------------------------ 03:18:17.650659 216.40.82.34.4008 > *.17.111: S 3244583708:3244583708(0) win 32120 <mss 1460,sackOK,timestamp 23510927 0,nop,wscale 0> (DF) 03:18:17.652150 216.40.82.34.4010 > *.19.111: S 3236756659:3236756659(0) win 32120 <mss 1460,sackOK,timestamp 23510927 0,nop,wscale 0> (DF) 03:18:19.562250 216.40.82.34.3814 > *.16.111: S 3237532592:3237532592(0) win 32120 <mss 1460,sackOK,timestamp 23511117 0,nop,wscale 0> (DF) 03:18:20.670759 216.40.82.34.4008 > *.17.111: S 3244583708:3244583708(0) win 32120 <mss 1460,sackOK,timestamp 23511227 0,nop,wscale 0> (DF) 03:18:20.672179 216.40.82.34.4010 > *.19.111: S 3236756659:3236756659(0) win 32120 <mss 1460,sackOK,timestamp 23511227 0,nop,wscale 0> (DF) File tcp.2001-03-08_08:03:01.gz ------------------------ 08:32:51.419847 210.12.143.7.4888 > *.17.111: S 119650412:119650412(0) win 32120 <mss 1460,sackOK,timestamp 10697278 0,nop,wscale 0> (DF) File tcp.2001-03-09_22:00:02.gz ------------------------ 22:39:17.163349 211.217.137.225.3625 > *.17.111: S 3388248271:3388248271(0) win 32120 <mss 1460,sackOK,timestamp 64704099 0,nop,wscale 0> (DF) File tcp.2001-03-10_10:00:03.gz ------------------------ 10:41:19.579963 202.69.83.4.4745 > *.17.111: S 3653009893:3653009893(0) win 32120 <mss 1460,sackOK,timestamp 20633334 0,nop,wscale 0> (DF) 10:41:19.581437 202.69.83.4.4752 > *.19.111: S 3650648111:3650648111(0) win 32120 <mss 1460,sackOK,timestamp 20633334 0,nop,wscale 0> (DF) 10:41:19.583899 202.69.83.4.4744 > *.16.111: S 3661270159:3661270159(0) win 32120 <mss 1460,sackOK,timestamp 20633334 0,nop,wscale 0> (DF) 10:44:02.168577 208.59.211.26.1424 > *.16.111: S 2302414493:2302414493(0) win 32120 <mss 1460,sackOK,timestamp 7871503 0,nop,wscale 0> (DF) 10:44:02.171259 208.59.211.26.1425 > *.17.111: S 2310082611:2310082611(0) win 32120 <mss 1460,sackOK,timestamp 7871503 0,nop,wscale 0> (DF) 10:44:02.172700 208.59.211.26.1427 > *.19.111: S 2300000484:2300000484(0) win 32120 <mss 1460,sackOK,timestamp 7871503 0,nop,wscale 0> (DF) 10:44:05.162774 208.59.211.26.1424 > *.16.111: S 2302414493:2302414493(0) win 32120 <mss 1460,sackOK,timestamp 7871803 0,nop,wscale 0> (DF) 10:44:05.165449 208.59.211.26.1425 > *.17.111: S 2310082611:2310082611(0) win 32120 <mss 1460,sackOK,timestamp 7871803 0,nop,wscale 0> (DF) 10:44:05.166922 208.59.211.26.1427 > *.19.111: S 2300000484:2300000484(0) win 32120 <mss 1460,sackOK,timestamp 7871803 0,nop,wscale 0> (DF) File tcp.2001-03-10_16:00:04.gz ------------------------ 16:07:57.817698 195.153.143.19.3402 > *.19.111: S 1688294726:1688294726(0) win 32120 <mss 1460,sackOK,timestamp 21475244 0,nop,wscale 0> (DF) 16:07:57.827483 195.153.143.19.3400 > *.17.111: S 1696172852:1696172852(0) win 32120 <mss 1460,sackOK,timestamp 21475244 0,nop,wscale 0> (DF) 16:07:57.834149 195.153.143.19.3399 > *.16.111: S 1696129009:1696129009(0) win 32120 <mss 1460,sackOK,timestamp 21475244 0,nop,wscale 0> (DF) File tcp.2001-03-13_09:00:04.gz ------------------------ 09:44:32.709245 129.142.170.149.2051 > *.17.111: S 1252476865:1252476865(0) win 32120 <mss 1460,sackOK,timestamp 6967404 0,nop,wscale 0> (DF) File tcp.2001-03-13_16:00:40.gz ------------------------ 16:24:57.727282 216.29.28.46.3339 > *.17.111: S 3529363346:3529363346(0) win 32120 <mss 1460,sackOK,timestamp 115469605 0,nop,wscale 0> (DF) File tcp.2001-03-13_18:00:51.gz ------------------------ 18:25:42.561471 210.178.22.129.3353 > *.16.111: S 1232149209:1232149209(0) win 32120 <mss 1460,sackOK,timestamp 51103188 0,nop,wscale 0> (DF) 18:25:42.564074 210.178.22.129.3354 > *.17.111: S 1236301047:1236301047(0) win 32120 <mss 1460,sackOK,timestamp 51103188 0,nop,wscale 0> (DF) 18:25:42.565577 210.178.22.129.3356 > *.19.111: S 1225194465:1225194465(0) win 32120 <mss 1460,sackOK,timestamp 51103188 0,nop,wscale 0> (DF) 18:25:45.537391 210.178.22.129.3353 > *.16.111: S 1232149209:1232149209(0) win 32120 <mss 1460,sackOK,timestamp 51103488 0,nop,wscale 0> (DF) 18:25:45.538729 210.178.22.129.3354 > *.17.111: S 1236301047:1236301047(0) win 32120 <mss 1460,sackOK,timestamp 51103488 0,nop,wscale 0> (DF) 18:25:45.541507 210.178.22.129.3356 > *.19.111: S 1225194465:1225194465(0) win 32120 <mss 1460,sackOK,timestamp 51103488 0,nop,wscale 0> (DF) -- | Bryan Andersen | bryan () visi com | http://softail.visi.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen |
Current thread:
- SNMP Scans Crist Clark (Mar 05)
- <Possible follow-ups>
- Re: SNMP Scans H Carvey (Mar 11)
- Re: SNMP Scans Omar Herrera (Mar 12)
- Re: SNMP Scans MadHat (Mar 13)
- Re: SNMP Scans Omar Herrera (Mar 12)
- Re: SNMP Scans Chris Schuler (Mar 13)
- Re: SNMP Scans John Oliver (Mar 14)
- Port 111 Scans (odd single IP# probes too) Bryan Andersen (Mar 14)
- Re: Port 111 Scans (odd single IP# probes too) Scott Nursten (Mar 15)
- Re: Port 111 Scans (odd single IP# probes too) Rob Kouwenberg (Mar 15)
- Re: SNMP Scans John (Mar 14)
- Re: SNMP Scans Eric Kimminau (Mar 14)
- Re: SNMP Scans Golden_Eternity (Mar 15)