Snort mailing list archives

RE: [Dshield] Port 17300 scans [snort-users-admin@l ists.sourceforge.net in Pass-Through List] ['snort' in Pass-Through List] ['snort-users' in Pass-Through List]


From: "Chan, Stephen (Singapore)" <stephen_chan () sg ml com>
Date: Wed, 19 Feb 2003 10:48:52 +0800

Most like spoofed source addresses, otherwise they could be compromised
hosts being controlled by a master someplace...

Rgds,

Stephen


-----Original Message-----
From: Mark Scott [mailto:mscott () mtgroup com] 
Sent: Wednesday, February 19, 2003 6:46 AM
To: list () dshield org; snort-users () lists sourceforge net
Subject: [Dshield] [Snort-users] Port 17300 scans
[snort-users-admin () lists sourceforge net in Pass-Through List] ['snort' in
Pass-Through List] ['snort-users' in Pass-Through List]


For those tracking the 17300 scans, here are some more data on the 17300
scans. I had several nodes that were quickly scanned and the snort data all
looked the same. Below are the snort alerts from one of my nodes.

Also of interest...... they originated from 3 different IPs (211.199.119.223
[Korea], 61.182.210.111 [China] and 61.182.210.22 [China]) to the very same
nodes on my network. Any significance to the fact that the 3 src IP's are
hitting the same nodes on the network simultaneously?

Regards,

Mark
Mark Scott
Memphis Technology Associates
http://mtgroup.com

=========================================================================


[**] Port 17300 Scan [**]
02/18/03-16:22:29.625943 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800
len:0x3E
211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:19234
IpLen:20 DgmLen:48 DF
******S* Seq: 0x429C8DF  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 1422 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Port 17300 Scan [**]
02/18/03-16:22:29.867155 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800
len:0x3C
211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:19746
IpLen:20 DgmLen:40 DF
***A**** Seq: 0x429C8E0  Ack: 0xF2644EE8  Win: 0x2180  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Port 17300 Scan [**]
02/18/03-16:22:29.868560 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800
len:0x3C
211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:20002
IpLen:20 DgmLen:40 DF
***A**** Seq: 0x429C8E0  Ack: 0xF2644EE8  Win: 0x2180  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Port 17300 Scan [**]
02/18/03-16:22:29.869628 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800
len:0x3C
211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:20258
IpLen:20 DgmLen:40 DF
***A***F Seq: 0x429C8E0  Ack: 0xF2644EE8  Win: 0x2180  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Port 17300 Scan [**]
02/18/03-16:22:32.800830 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800
len:0x3C
211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:24354
IpLen:20 DgmLen:40 DF
***A***F Seq: 0x429C8E0  Ack: 0xF2644EE8  Win: 0x2180  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Port 17300 Scan [**]
02/18/03-16:22:38.804678 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800
len:0x3C
211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:39714
IpLen:20 DgmLen:40 DF
***A***F Seq: 0x429C8E0  Ack: 0xF2644EE8  Win: 0x2180  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Port 17300 Scan [**]
02/18/03-16:22:50.802199 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800
len:0x3C
211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:60194
IpLen:20 DgmLen:40 DF
***A***F Seq: 0x429C8E0  Ack: 0xF2644EE8  Win: 0x2180  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Port 17300 Scan [**]
02/18/03-16:23:14.853085 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800
len:0x3C
211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:55075
IpLen:20 DgmLen:40 DF
***A***F Seq: 0x429C8E0  Ack: 0xF2644EE8  Win: 0x2180  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Port 17300 Scan [**]
02/18/03-16:24:02.882797 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800
len:0x3C
211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:56101
IpLen:20 DgmLen:40 DF
***A***F Seq: 0x429C8E0  Ack: 0xF2644EE8  Win: 0x2180  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list


_______________________________________________
list mailing list
list () dshield org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



-------------------------------------------------------
This SF.net email is sponsored by: SlickEdit Inc. Develop an edge.
The most comprehensive and flexible code editor you can use.
Code faster. C/C++, C#, Java, HTML, XML, many more. FREE 30-Day Trial.
www.slickedit.com/sourceforge
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


Current thread: