Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Surge in probes or coincidence?

From: Dave Elfering <elfering () WERNERLOGISTICS COM>
Date: Wed, 28 Mar 2001 09:32:17 -0600
We don't normally see too much activity on our little segment, so I was
surprised to see several probes in relatively close sequence to one another.

One from Korea looking for port 111 (RPC), two from the european block
addresses looking for FTP servers.

Anyone else see a (relative) surge of activity from these sources?

Here is some scrubbed data from NFR:

Severity:           Attack
Time:               08:37:01 28-Mar-2001
Source:             HOST_SCAN
Alert Message:      Suspicious Activity: Looks like a host
                    scan: 211.252.129.251-192.168.1.64/27:
[192.168.1.65,192.168.1.

73,192.168.1.66,192.168.1.81,192.168.1.87,192.168.1.94,192.168.1.
                    92,192.168.1.68,192.168.1.76,192.168.1.84]\x0a

Time:               28-Mar-2001 08:35:00
Source Port:        2770
Destination Port:   111
Source Host:        211.252.129.251
Destination Host:   192.168.1.35
New Connections:    1


---------------------------------------------------------
Severity:           Attack
Time:               08:32:31 28-Mar-2001
Source:             HOST_SCAN
Alert Message:      Suspicious Activity: Looks like a host
                    scan: 62.26.18.17-192.168.1.64/27:
[192.168.1.64,192.168.1.65,

192.168.1.66,192.168.1.67,192.168.1.68,192.168.1.69,192.168.1.70,

192.168.1.71,192.168.1.72,192.168.1.73,192.168.1.74,192.168.1.75,
                    192.168.1.76,192.168.1.77,192.168.1.7...

Time:               28-Mar-2001 08:30:00
Source Port:        21
Destination Port:   21
Source Host:        62.26.18.17
Destination Host:   192.168.1.35
New Connections:    1


--------------------------------------------------------

Severity:           Attack
Time:               03:01:06 28-Mar-2001
Source:             HOST_SCAN
Alert Message:      Suspicious Activity: Looks like a host
                    scan: 212.120.107.203-192.168.1.64/27:
[192.168.1.64,192.168.1.

65,192.168.1.66,192.168.1.67,192.168.1.68,192.168.1.69,192.168.1.

70,192.168.1.71,192.168.1.72,192.168.1.73,192.168.1.74,192.168.1.
                    75,192.168.1.76,192.168.1.77,63.68....

Time:               28-Mar-2001 03:00:00
Source Port:        1253
Destination Port:   21
Source Host:        212.120.107.203
Destination Host:   192.168.1.68
New Connections:    1
Previous By Date Next
Previous By Thread Next

Current thread: