Re: Sudden increase in scans.

[Aaron Kelley <kelleyam () UMICH EDU>]

	I'm seeing lots of scans pointed at port 5500 it might be 
good to note that this port is used quite a bit at the home of 
Hotline servers (it might be the default, but I have not had much of 
a chance to play with the server app.)  As a matter of fact it seems 
that every day you have been getting scanned for 5500.  Perhaps there 
is a new exploit for the hotline server, or it might simply be a bot 
or something of the like that has been misconfigured  or given the 
incorrect IP address.  There might be someone running a hotline 
server on a machine with an IP simmilar to yours.
Enjoy
        AK

> There has suddenly been an enourmous increase of scans aimed at my 
> network.  It
> started 14 / 07 has been increasing ever since.
>
> It started out with a single 'socks' scan the 14'th.  Then socks(again) and
> sunrpc the 15th, ftp and dns the 16th.. then it exploded
>
> The 17th, we had the following scans:
>
> 2. scans of port 1243 with 11 mins in between
> 1. scan of port 20034
> 30(!). scans of port 5500 , starting out at 17:30 (local time) and proceding
> with intervals from 5 mins to 30 minutes throuhgout the day
>
> 18th:
>
> 47. scans of port 5500 from 00:00 to 11:12 (!!)
> 1. scan of 400
>
> 19:
> 3. scans of port 5500, not at a specific time
> 2. scans of port 2835 (within 10 seconds)

akelley () mac com              kelleyam () umich edu           x99kelley1 () wmich edu
                                        Aaron Kelley

                "Any technology that is distinguishable
                                from magic is not sufficiently advanced."