RE: Scanned on 16 TCP ports, anyone seen this before?

["Lawrence Baldwin" <baldwinL () mynetwatchman com>]

Yeah, very odd in deed...definitely pretty prolific...have had > 20 mNW
users report this IP, over 20,000 events total...looks like he's hitting the
same port (sets) here too....a high percentage have a *src* port of 18765

http://www.mynetwatchman.com/LID.asp?IID=72800353

Lawrence Baldwin
myNetWatchman.com

-----Original Message-----
From: Kevin Patz [mailto:jambo_cat () yahoo com]
Sent: Monday, February 02, 2004 14:21
To: incidents () securityfocus com
Subject: Scanned on 16 TCP ports, anyone seen this before?


I noticed this when I was perusing the packet log on
my Linux box.  These scans all occurred at 2/2/04
13:21:10 EST.  The source IP was 65.177.48.74, RDNS is
sdn-ap-024txhousP0074.dialsprint.net.  Source port is
18765, all TCP SYNs, same TTL.  Destination ports, in
order by packet sequence #, are:

24215, 15859, 24759, 80, 2589, 32745, 18754, 14784,
18462, 8080, 26859, 17547, 3128, 1029, 27784, 6588

Of these destination ports, the only "familiar" ones
are 80 (http), 2589 (Dagger), 3129 (Squid), 6588
(AnalogX), 8080 (WebCache), and 1029 (ICQ).

Has anyone else seen scans like this?  Any ideas as to
its purpose?  I've seen Ring Zero and proxy scans but
this one hit quite a few odd ports.  Maybe a spammer
looking for an open proxy?

KJP


=====
I see dumb people...
...they're everywhere...
...they walk around like everyone else...
...they don't even know that they're dumb.

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/

---------------------------------------------------------------------------
----------------------------------------------------------------------------


---------------------------------------------------------------------------
----------------------------------------------------------------------------