Security Incidents mailing list archives

Odd snmp scans from 10.0.0.0/8 address ???

From: r.fulton () AUCKLAND AC NZ (Russell Fulton)
Date: Wed, 26 Apr 2000 17:06:50 +1200


A few days ago we saw a series of scans that varied the 3rd octect of
the IP address (see argus logs below).  These scans appeared to be part
of a much wider scan perhaps all of 130/8 as the scans repeated every
couple of hours with a new final octet.

Sample argus logs:

23 Apr 00 19:14:45      udp      10.2.16.76.2846   ->  130.216.198.28.161   TIM
23 Apr 00 19:14:45      udp      10.2.16.76.2846   ->  130.216.202.28.161   TIM
23 Apr 00 19:14:45      udp      10.2.16.76.2846   ->  130.216.204.28.161   TIM
23 Apr 00 19:14:45      udp      10.2.16.76.2846   ->  130.216.206.28.161   TIM
23 Apr 00 19:14:45      udp      10.2.16.76.2846   ->  130.216.207.28.161   TIM
23 Apr 00 19:14:45      udp      10.2.16.76.2846   ->  130.216.209.28.161   TIM
23 Apr 00 19:14:45      udp      10.2.16.76.2846   ->  130.216.212.28.161   TIM
23 Apr 00 19:14:45      udp      10.2.16.76.2846   ->  130.216.213.28.161   TIM
23 Apr 00 19:14:45      udp      10.2.16.76.2846   ->  130.216.211.28.161   TIM
23 Apr 00 19:14:45      udp      10.2.16.76.2846   ->  130.216.214.28.161   TIM
23 Apr 00 19:14:45      udp      10.2.16.76.2846   ->  130.216.216.28.161   TIM
23 Apr 00 19:14:45      udp      10.2.16.76.2846   ->  130.216.215.28.161   TIM
23 Apr 00 19:14:45      udp      10.2.16.76.2846   ->  130.216.217.28.161   TIM
23 Apr 00 19:14:45      udp      10.2.16.76.2846   ->  130.216.218.28.161   TIM
23 Apr 00 19:14:45      udp      10.2.16.76.2846   ->  130.216.219.28.161   TIM
23 Apr 00 19:14:45      udp      10.2.16.76.2846   ->  130.216.223.28.161   TIM
23 Apr 00 19:14:45      udp      10.2.16.76.2846   ->  130.216.220.28.161   TIM
23 Apr 00 19:14:45      udp      10.2.16.76.2846   ->  130.216.227.28.161   TIM
23 Apr 00 19:14:45      udp      10.2.16.76.2846   ->  130.216.221.28.161   TIM
23 Apr 00 19:14:45      udp      10.2.16.76.2846   ->  130.216.231.28.161   TIM

as you can see they are scanning address 28 in each class C net

We saw similiar scans at
 2000.04.24:07.11
 2000.04.24:05.28
 2000.04.24:03.46
 2000.04.24:02.04
 2000.04.24:00.21
 2000.04.23:22.39
 2000.04.23:20.57

Each time scanning a new address in each subnet.

I have seen such scans before and I think nmap has an option for doing
just this so no mystery there but what puzzles me is the source
address which is in the range reserved for multicast.

Is there anyway anyone could get useful information from this scan?

BTW times are UTC +1200 our class B is 130.216/16

Cheers, Russell.

Current thread:

Re: Rooted through in.identd on Red Hat 6.0, (continued)
- - - Re: Rooted through in.identd on Red Hat 6.0 Jose Nazario (Apr 21)
    - Re: Rooted through in.identd on Red Hat 6.0 Richard Wash (Apr 20)
    - Re: Rooted through in.identd on Red Hat 6.0 J. J. Horner (Apr 20)
    - Re: Rooted through in.identd on Red Hat 6.0 Del Elson (Apr 21)
    - Re: Rooted through in.identd on Red Hat 6.0 jms (Apr 21)
    - !!!Linux ELF infector!!! dEStr0YEr (Apr 21)
    - Re: !!!Linux ELF infector!!! John Flux (Apr 24)
    - BIND 8.2.2.-P3, 0-day exploit Patrick Oonk (Apr 22)
    - Re: BIND 8.2.2.-P3, 0-day exploit Jon Lewis (Apr 24)
    - Re: BIND 8.2.2.-P3, 0-day exploit kj (Apr 24)
    - Odd snmp scans from 10.0.0.0/8 address ??? Russell Fulton (Apr 25)
    - Re: BIND 8.2.2.-P3, 0-day exploit Stone (Apr 26)
    - Re: BIND 8.2.2.-P3, 0-day exploit Ryan Russell (Apr 27)
    - Re: BIND 8.2.2.-P3, 0-day exploit Patrick Oonk (Apr 27)
    - regulary 137 and 524 port scan Cho Yongsang (Apr 27)
    - huge scans from www.oix.com jose (Apr 28)
    - I am popular today... Dirk Koopman (Apr 28)
    - Re: I am popular today... Ryan Sweat (Apr 28)
    - Analysis: AboveNet attacks Robert Graham (Apr 28)
    - Re: I am popular today... Ville (Apr 29)
    - Lots netbios scans (udp 137) Russell Fulton (Apr 30)

(Thread continues...)