Security Incidents mailing list archives

Re: New script-kiddie looking scan

From: Jeff Kell <jeff-kell () utc edu>
Date: Tue, 18 Jun 2002 14:36:12 -0400

I don't think I made myself clear when...

On Tue, 18 Jun 2002, Jeff Kell wrote:

I'm noticing a growing number of scans of four ports (1433, 8000, 3128,
and 8080, in succession from increasing source ports).  These are
MS-SQL, WinAmp, Ring Zero, and HTTP proxy.


The individual scans are nothing new and rather well-known.  What DOES
bother me is the pattern -- those four ports are scanned, in succession,
within a second or two, and it moves on to another host.  And this same
4-port-scan sequence I have seen from various geographic sources.  What
are the odds that all those scans, in that sequence, are coincidence?
Slim to none, I'd wager; it sounds like either a new scanning tool or,
worse still, some new worm trying to propagate itself through exploits
based on those ports.

Jeff

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Re: New script-kiddie looking scan Jeff Kell (Jun 18)
- Re: New script-kiddie looking scan Michael H. Warfield (Jun 18)
- Re: New script-kiddie looking scan Barry Kostjens (Jun 19)
- <Possible follow-ups>
- RE: New script-kiddie looking scan Mike Ciavarella (Jun 18)
- RE: New script-kiddie looking scan David Jacoby (Jun 19)