Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Odd scan

From: "McCammon, Keith" <Keith.McCammon () eadvancemed com>
Date: Sun, 21 Jul 2002 20:38:01 -0400
You might want to try searching the GIAC archives, as well as Google.  I found these right off the bat:

http://komura.net/snort/210/196/70/dest210.196.70.123-301.html
http://komura.net/snort/210/196/70/dest210.196.70.122-201.html

Same pattern.  I don't know of any tool with this fingerprint, but there are a lot of similar portscan logs floating 
around...

Cheers

Keith


-----Original Message-----
From: Tadas Miniotas [mailto:tadas () ipv6 lt]
Sent: Saturday, July 20, 2002 1:04 PM
To: incidents () securityfocus com
Subject: Odd scan


Hello,

Just some snort logs I found interesting. Time is GMT+2, and 
the source 
IP comes from Malaysia.

Earliest: 15:43:39 on 7/20/2002
Latest: 16:16:45 on 7/20/2002
     * 584 instances of TCP ******S* scan
Jul 20 15:43:39 202.151.224.13:2029 -> xxx.xxx.32.15:79 SYN ******S*
Jul 20 15:43:39 202.151.224.13:2030 -> xxx.xxx.32.15:161 SYN ******S*
Jul 20 15:43:39 202.151.224.13:2031 -> xxx.xxx.32.15:1524 SYN ******S*
Jul 20 15:43:40 202.151.224.13:2024 -> xxx.xxx.32.13:161 SYN ******S*
Jul 20 15:43:40 202.151.224.13:2025 -> xxx.xxx.32.13:1524 SYN ******S*
Jul 20 15:43:42 202.151.224.13:2032 -> xxx.xxx.32.62:79 SYN ******S*
Jul 20 15:43:42 202.151.224.13:2034 -> xxx.xxx.32.62:1524 SYN ******S*
Jul 20 15:43:42 202.151.224.13:2035 -> xxx.xxx.32.69:79 SYN ******S*
Jul 20 15:43:42 202.151.224.13:2036 -> xxx.xxx.32.69:161 SYN ******S*
Jul 20 15:43:42 202.151.224.13:2037 -> xxx.xxx.32.69:1524 SYN ******S*
Jul 20 15:43:43 202.151.224.13:2033 -> xxx.xxx.32.62:161 SYN ******S*
Jul 20 15:43:43 202.151.224.13:2032 -> xxx.xxx.32.62:79 SYN ******S*
Jul 20 15:43:43 202.151.224.13:2034 -> xxx.xxx.32.62:1524 SYN ******S*
<snip>

What seems odd to me is quite unusual set of ports for a 
scan. Quite a 
few vulnerabilities have been discovered in SNMP (port 161), an 
ingreslock service (port 1524) is reported to be used as an backdoor 
for several exploits against RPC services, finger is a rarely used 
service these days. So far, so good, but I fail to see what 
these three 
ports have in common. Has anyone seen something similar? Any insight 
would be greatly appreciated.

Best regards,
--
Tadas Miniotas
LitNET NOC

--------------------------------------------------------------
--------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: