Security Incidents mailing list archives
Re: Scan that doesn't make sense
From: Johan Augustsson <johan.augustsson () adm gu se>
Date: Wed, 6 Feb 2002 19:04:17 +0100
On Wed, Feb 06, 2002 at 11:39:56AM -0500, McCammon, Keith wrote:
This certainly doesn't look like any of the well-known scripts that I've seen in recent months. In fact, if you look at the timestamps, it seems likely that this was done manually. Look at the different tools/methods used to probe the system, and then look at the gaps between them. Either a very odd script, or someone with too much time on their hands. Do you happen to have any event correlation software in place that might tell you if this fellow has been caught poking around prior to this incident? Cheers Keith
According to my Snort logs this was the first time this fellow got into that particular subnet. We do not have any centralised snort box for our /16 net yet so this is just for a /24. As I mentioned in my first mail there must be a truckload of traffic that Snort didn't pick up since we're only using the default ruleset plus a few custom rules to pick up the ftp and printer scans. But why did he first run some cmd.exe stuff and a few minutes later do an portscan? I just don't get it, or are those skriptkiddies realy that eherm... stupid? Are you guys getting any ICMP superscan Echo in your Snort logs? Since I wrote the rule (brag, brag, brag) it would be fun to know if folks are using it or if it triggers to much false alarms. The ICMP superscan Echoes I get doeas nearly all originate from dialups or *dsl accounts. That make me believe that SuperScan is the only tool (or one of very few) that uses a payload of eight zeroes in it's ICMP Echo Requests. /Johan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Scan that doesn't make sense Johan Augustsson (Feb 06)
- <Possible follow-ups>
- Re: Scan that doesn't make sense Johan Augustsson (Feb 06)