Security Incidents mailing list archives
Re: [unisog] Re: large scale distributed scan of port tcp 445
From: Russell Fulton <r.fulton () auckland ac nz>
Date: 09 Aug 2002 12:50:49 +1200
On Fri, 2002-08-09 at 11:53, Muhammad Faisal Rauf Danka wrote:
Which firewall logs these are? ,Because i'm unable to find the bits set, whether it was a TCP Scan of halfopen SYN Scan? Since mostly worms would TCP Scan from infected boxes, so if it's a SYN Scan, then probably it's an intentional Scan. just wondering..
The scans were detect by my own scan detector which is a perl script and reads argus records. The code is distributed with argus <www.qosient.com>. The probes were all TCP SYNs. Only one per target which suggest a half open scan (we block 445 at the firewall so nothing responded and I can't be sure if it really was a half open scan). I doubt very much if this is a worm, my guess is that it is some group with a group of zombies who want many more... BTW a few weeks ago I did see some very similar scans but just with 10-20 hosts. It may be the same group with more resources... -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand "It aint necessarily so" - Gershwin ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- large scale distributed scan of port tcp 445 Russell Fulton (Aug 08)
- <Possible follow-ups>
- Re: large scale distributed scan of port tcp 445 Muhammad Faisal Rauf Danka (Aug 09)
- Re: [unisog] Re: large scale distributed scan of port tcp 445 Russell Fulton (Aug 09)
- RE: large scale distributed scan of port tcp 445 Rob Keown (Aug 09)
- RE: large scale distributed scan of port tcp 445 Thomas Cannon (Aug 09)
- RE: large scale distributed scan of port tcp 445 Jim Harrison (SPG) (Aug 09)
- RE: large scale distributed scan of port tcp 445 H C (Aug 09)
- RE: large scale distributed scan of port tcp 445 Jim Harrison (SPG) (Aug 09)
- RE: large scale distributed scan of port tcp 445 Rick Darsey (Aug 09)
- RE: large scale distributed scan of port tcp 445 Brian McWilliams (Aug 09)
- Re: large scale distributed scan of port tcp 445 Gary Flynn (Aug 09)
- Re: large scale distributed scan of port tcp 445 Deus, Attonbitus (Aug 12)
- Re: large scale distributed scan of port tcp 445 Gary Flynn (Aug 09)
- RE: large scale distributed scan of port tcp 445 Beau Monday (Aug 09)