Snort mailing list archives
RE: [Dshield] Port 17300 scans [snort-users-admin@l ists.sourceforge.net in Pass-Through List] ['snort' in Pass-Through List] ['snort-users' in Pass-Through List]
From: "Chan, Stephen (Singapore)" <stephen_chan () sg ml com>
Date: Wed, 19 Feb 2003 10:48:52 +0800
Most like spoofed source addresses, otherwise they could be compromised hosts being controlled by a master someplace... Rgds, Stephen -----Original Message----- From: Mark Scott [mailto:mscott () mtgroup com] Sent: Wednesday, February 19, 2003 6:46 AM To: list () dshield org; snort-users () lists sourceforge net Subject: [Dshield] [Snort-users] Port 17300 scans [snort-users-admin () lists sourceforge net in Pass-Through List] ['snort' in Pass-Through List] ['snort-users' in Pass-Through List] For those tracking the 17300 scans, here are some more data on the 17300 scans. I had several nodes that were quickly scanned and the snort data all looked the same. Below are the snort alerts from one of my nodes. Also of interest...... they originated from 3 different IPs (211.199.119.223 [Korea], 61.182.210.111 [China] and 61.182.210.22 [China]) to the very same nodes on my network. Any significance to the fact that the 3 src IP's are hitting the same nodes on the network simultaneously? Regards, Mark Mark Scott Memphis Technology Associates http://mtgroup.com ========================================================================= [**] Port 17300 Scan [**] 02/18/03-16:22:29.625943 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800 len:0x3E 211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:19234 IpLen:20 DgmLen:48 DF ******S* Seq: 0x429C8DF Ack: 0x0 Win: 0x2000 TcpLen: 28 TCP Options (4) => MSS: 1422 NOP NOP SackOK =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] Port 17300 Scan [**] 02/18/03-16:22:29.867155 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800 len:0x3C 211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:19746 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x429C8E0 Ack: 0xF2644EE8 Win: 0x2180 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] Port 17300 Scan [**] 02/18/03-16:22:29.868560 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800 len:0x3C 211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:20002 IpLen:20 DgmLen:40 DF ***A**** Seq: 0x429C8E0 Ack: 0xF2644EE8 Win: 0x2180 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] Port 17300 Scan [**] 02/18/03-16:22:29.869628 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800 len:0x3C 211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:20258 IpLen:20 DgmLen:40 DF ***A***F Seq: 0x429C8E0 Ack: 0xF2644EE8 Win: 0x2180 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] Port 17300 Scan [**] 02/18/03-16:22:32.800830 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800 len:0x3C 211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:24354 IpLen:20 DgmLen:40 DF ***A***F Seq: 0x429C8E0 Ack: 0xF2644EE8 Win: 0x2180 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] Port 17300 Scan [**] 02/18/03-16:22:38.804678 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800 len:0x3C 211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:39714 IpLen:20 DgmLen:40 DF ***A***F Seq: 0x429C8E0 Ack: 0xF2644EE8 Win: 0x2180 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] Port 17300 Scan [**] 02/18/03-16:22:50.802199 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800 len:0x3C 211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:60194 IpLen:20 DgmLen:40 DF ***A***F Seq: 0x429C8E0 Ack: 0xF2644EE8 Win: 0x2180 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] Port 17300 Scan [**] 02/18/03-16:23:14.853085 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800 len:0x3C 211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:55075 IpLen:20 DgmLen:40 DF ***A***F Seq: 0x429C8E0 Ack: 0xF2644EE8 Win: 0x2180 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ [**] Port 17300 Scan [**] 02/18/03-16:24:02.882797 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800 len:0x3C 211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:56101 IpLen:20 DgmLen:40 DF ***A***F Seq: 0x429C8E0 Ack: 0xF2644EE8 Win: 0x2180 TcpLen: 20 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list _______________________________________________ list mailing list list () dshield org To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list ------------------------------------------------------- This SF.net email is sponsored by: SlickEdit Inc. Develop an edge. The most comprehensive and flexible code editor you can use. Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial. www.slickedit.com/sourceforge _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- RE: [Dshield] Port 17300 scans [snort-users-admin@l ists.sourceforge.net in Pass-Through List] ['snort' in Pass-Through List] ['snort-users' in Pass-Through List] Chan, Stephen (Singapore) (Feb 19)