Snort mailing list archives
RE: Portscans from China ?
From: Mike Arrison <arrison () graphcalc com>
Date: Sun, 14 Apr 2002 09:45:26 -0400
China is a known haven for hackers. Due to their relative infancy of online connectivity, there are many servers there that have to been secured. One of the most common are mail servers that are left as open relays for spam. Others are compromised systems controlled by (often American) foreign hackers, used to mask their origin. Of course, there has also been a large contingent of actual Chinese hackers. There are rumors that the Chinese government actually sponsors these guys to do a little American recon. If your organization is involved in anything high tech, weapons or nuclear related, I would not be surprised at all to see the Chinese scanning you. My suggestion: Start logging all packets from Asia, not just alerts. You can figure out what those IP's are here: http://www.iana.com/assignments/ipv4-address-space . Look for entries for APNIC (Asia Pacific Network Information Center). But this just my paranoid assessment. Anyone have any non conspiracy theory thoughts? -Mike Arrison -----Original Message----- From: snort-users-admin () lists sourceforge net [mailto:snort-users-admin () lists sourceforge net] On Behalf Of Tudor Panaitescu Sent: Sunday, April 14, 2002 8:36 AM To: snort-users () lists sourceforge net Subject: [Snort-users] Portscans from China ? Hello Everyone, I am getting daily hundreds of Portscans to port 80 TCP from hosts residing in China, some of them are directed only to our web sitesin the DMZ, some are targeting the entire DMZ network, trying to scan the hosts one by one. The source addresses are not the same from one scan to another, they are always different , they don't resolve with reverse lookup and they look like well protected systems when trying to connect to them on different ports (no scanning in return though...). The portscan.log always shows INVALIDACK ***A*R*F for these scans The alerts log shows only STEALTH [**]. The apache log files show nothing but 408 (request time out) for these connections. Is anbody else experiencing the same thing ? Does anybody have any idea what's this all about ? TIA, Tudor _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- Portscans from China ? Tudor Panaitescu (Apr 14)
- RE: Portscans from China ? Mike Arrison (Apr 14)
- Re: Portscans from China ? Michael Scheidell (Apr 15)
- RE: Portscans from China ? Mike Arrison (Apr 14)