Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

A few strange scans...

From: Mike.Murray () UTORONTO CA (Murray, Mike)
Date: Sun, 20 Feb 2000 20:53:10 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hey all...

        Have a couple incidents that I'm curious about, and I can't find any
explanation for at all...

        The first is many days of scanning of our Class C on a few weird ports
from 193.0.14.129.  This belongs to k.root-servers.net.  Here's a log
snippet...
Feb  5 06:40:51 firepower kernel: Packet log: private1 DENY eth0 PROTO=17
193.0.14.129:30974 xxx.xxx.xxx.20:264 L=281 S=0x00 I=37686 F=0x0000
T=49 (#7)
Feb  5 06:41:35 firepower kernel: Packet log: private1 DENY eth0 PROTO=17
193.0.14.129:30974 xxx.xxx.xxx.50:264 L=281 S=0x00 I=7912 F=0x0000
T=49 (#7)
Feb  5 06:56:43 firepower kernel: Packet log: private1 DENY eth0 PROTO=17
193.0.14.129:30974 xxx.xxx.xxx.20:452 L=471 S=0x00 I=15034 F=0x0000
T=49 (#7)
Feb  5 06:57:16 firepower kernel: Packet log: private1 DENY eth0 PROTO=17
193.0.14.129:30974 xxx.xxx.xxx.50:452 L=470 S=0x00 I=40854 F=0x0000
T=49 (#7)
Feb  5 06:57:39 firepower kernel: Packet log: private1 DENY eth0 PROTO=17
193.0.14.129:30974 xxx.xxx.xxx.50:132 L=475 S=0x00 I=58041 F=0x0000
T=49 (#7)
Feb  5 06:58:29 firepower kernel: Packet log: server1 ACCEPT eth0 PROTO=17
193.0.14.129:30721 xxx.xxx.xxx.20:20 L=472 S=0x00 I=30688 F=0x0000
T=49 (#79)
Feb  5 06:59:31 firepower kernel: Packet log: server1 ACCEPT eth0 PROTO=17
193.0.14.129:1120 xxx.xxx.xxx.20:80 L=284 S=0x00 I=15071 F=0x0000
T=49 (#79)
Feb  5 07:00:28 firepower kernel: Packet log: private1 DENY eth0 PROTO=17
193.0.14.129:30974 xxx.xxx.xxx.20:456 L=475 S=0x00 I=61751 F=0x0000
T=49 (#7)
Feb  5 07:00:43 firepower kernel: Packet log: private1 DENY eth0 PROTO=17
193.0.14.129:30974 xxx.xxx.xxx.20:456 L=475 S=0x00 I=8447 F=0x0000
T=49 (#7)
Feb  5 07:02:20 firepower kernel: Packet log: server1 ACCEPT eth0 PROTO=17
193.0.14.129:30974 xxx.xxx.xxx.50:20 L=479 S=0x00 I=31258 F=0x0000
T=49 (#79)
Feb  5 07:04:42 firepower kernel: Packet log: server1 ACCEPT eth0 PROTO=17
193.0.14.129:30974 xxx.xxx.xxx.50:20 L=480 S=0x00
I=17387 F=0x0000 T=49 (#79)
Feb  5 07:08:13 firepower kernel: Packet log: server1 ACCEPT eth0 PROTO=17
193.0.14.129:1160 xxx.xxx.xxx.50:80 L=281 S=0x00 I=63386 F=0x0000
T=49 (#79)
Feb  5 07:24:31 firepower kernel: Packet log: private1 DENY eth0 PROTO=17
193.0.14.129:30974 xxx.xxx.xxx.50:196 L=216 S=0x00 I=7567 F=0x0000
T=49 (#7)
Feb  5 07:44:47 firepower kernel: Packet log: private1 DENY eth0 PROTO=17
193.0.14.129:30721 xxx.xxx.xxx.50:24 L=284 S=0x00 I=15566 F=0x0000
T=49 (#7)
Feb  5 07:58:14 firepower kernel: Packet log: private1 DENY eth0 PROTO=17
193.0.14.129:30974 xxx.xxx.xxx.50:264 L=281 S=0x00 I=35814 F=0x0000
T=49 (#7)

        And so on, and so on...

        Also, we've been seeing probes on some strange ports (31, 36, 104, 261,
413, 461, 576, 770 and 838) and an especially long scan on port 5.

        Anybody have any ideas and/or know what could be on any of these
ports???

                        Thanks,

                                Mike

- ----------------------------------
Message sent on 20-Feb-00 at 20:54:37

Mike Murray
Apt 1402
666 Spadina Ave
Toronto, ON
M5S 2H8

Phone: (416) 323-3160

        I can't think of anything pithy to say at
        all, today.  So, I ramble.
- ----------------------------------

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2

iQA/AwUBOLCa44DBZTHOsqLmEQIa1ACgxKLrXstpq2GClJSR5j7fzLB75CoAoJQQ
QLpW+9QyTZCWUOowT0sCE84l
=iRy1
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: