Security Incidents mailing list archives
RE: Odd scan
From: "McCammon, Keith" <Keith.McCammon () eadvancemed com>
Date: Sun, 21 Jul 2002 20:38:01 -0400
You might want to try searching the GIAC archives, as well as Google. I found these right off the bat: http://komura.net/snort/210/196/70/dest210.196.70.123-301.html http://komura.net/snort/210/196/70/dest210.196.70.122-201.html Same pattern. I don't know of any tool with this fingerprint, but there are a lot of similar portscan logs floating around... Cheers Keith
-----Original Message----- From: Tadas Miniotas [mailto:tadas () ipv6 lt] Sent: Saturday, July 20, 2002 1:04 PM To: incidents () securityfocus com Subject: Odd scan Hello, Just some snort logs I found interesting. Time is GMT+2, and the source IP comes from Malaysia. Earliest: 15:43:39 on 7/20/2002 Latest: 16:16:45 on 7/20/2002 * 584 instances of TCP ******S* scan Jul 20 15:43:39 202.151.224.13:2029 -> xxx.xxx.32.15:79 SYN ******S* Jul 20 15:43:39 202.151.224.13:2030 -> xxx.xxx.32.15:161 SYN ******S* Jul 20 15:43:39 202.151.224.13:2031 -> xxx.xxx.32.15:1524 SYN ******S* Jul 20 15:43:40 202.151.224.13:2024 -> xxx.xxx.32.13:161 SYN ******S* Jul 20 15:43:40 202.151.224.13:2025 -> xxx.xxx.32.13:1524 SYN ******S* Jul 20 15:43:42 202.151.224.13:2032 -> xxx.xxx.32.62:79 SYN ******S* Jul 20 15:43:42 202.151.224.13:2034 -> xxx.xxx.32.62:1524 SYN ******S* Jul 20 15:43:42 202.151.224.13:2035 -> xxx.xxx.32.69:79 SYN ******S* Jul 20 15:43:42 202.151.224.13:2036 -> xxx.xxx.32.69:161 SYN ******S* Jul 20 15:43:42 202.151.224.13:2037 -> xxx.xxx.32.69:1524 SYN ******S* Jul 20 15:43:43 202.151.224.13:2033 -> xxx.xxx.32.62:161 SYN ******S* Jul 20 15:43:43 202.151.224.13:2032 -> xxx.xxx.32.62:79 SYN ******S* Jul 20 15:43:43 202.151.224.13:2034 -> xxx.xxx.32.62:1524 SYN ******S* <snip> What seems odd to me is quite unusual set of ports for a scan. Quite a few vulnerabilities have been discovered in SNMP (port 161), an ingreslock service (port 1524) is reported to be used as an backdoor for several exploits against RPC services, finger is a rarely used service these days. So far, so good, but I fail to see what these three ports have in common. Has anyone seen something similar? Any insight would be greatly appreciated. Best regards, -- Tadas Miniotas LitNET NOC -------------------------------------------------------------- -------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Odd scan Tadas Miniotas (Jul 21)
- Re: Odd scan Russell Fulton (Jul 22)
- <Possible follow-ups>
- RE: Odd scan McCammon, Keith (Jul 22)
- Re: Odd scan Muhammad Faisal Rauf Danka (Jul 22)