Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: massive scans

From: "Miller, Eoin" <Miller () fhlb-of com>
Date: Mon, 2 Dec 2002 12:56:53 -0500
yea, ive had the same things as of late, its some new h@x0r scanner from china if i remember correctly, ive got some 
logs if you want to take a look and compare, at the time i thought they were a possible new worm, there was some 
discussion of this in another email group, im in a few to many and cannot recall which one though

logs:
http://www.variate.net/deviate/tech/foo/scans/


-----Original Message-----
From: Steve Moran [mailto:steve.moran () csssoftware com]
Sent: Monday, December 02, 2002 12:10 PM
To: snort-users () lists sourceforge net
Subject: [Snort-users] massive scans


Lately I've seen some odd port 80 scans, these scans have been setting off somewhere in the neighborhood of 160-250 
different snort signatures.  There have been 3 of these scans.  One to my mail server, which is on one class c network 
( a 198 network), the other two where to an entirely different class c (a 65 network).  These scans are very efficient, 
ie only 1-3 packets per type of exploit.  They are not targeted, ie they are looking for any exploit, lotus, windows, 
apache, anything.  One admin said he found an executable called network32 on his dns server and many registry entries 
to have it automatically start.  It was in the win32\label directory.  The second attack was from italy, from what 
appears to be some small italian town's website ( I don't speak or read italian so I'm not entirely sure), but I have 
not gotten any response from requests for help regarding the scan.  I'm still collecting info on the third and latest 
scan.  I don't think I'm being deliberately targeted, as these scans are way too noisy, personally, if it was me, I'd 
at least take the time to do some recon and tailor my attack to the type of web server.  
As nothing has been comprosmised and no damage done, law enforcement doesn't really care.  As there are close to 1000 
packets and, like I said 160-250 different types of attacks, reporting them is very hard, and no one really seems to 
care (no damage).  
Is anyone else seeing this sort of traffic lately?  I have 3 snort sensors, and they've been running for close to 2 
years, and these attacks have registered on two different sensors, running different versions of snort, so I doubt its 
a snort freak out that's caused this.   Is any one aware of some sort of new bug doing this?


-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T
handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: