Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

port 12345 scanning

From: luke.dudney () WN COM AU (Luke Dudney)
Date: Mon, 12 Jun 2000 13:13:29 +0800

Just to let any of you that may believe you're being specifically targeted
know..

I'm seeing these all over our 203.x networks, all coming from
[209-210].x.y.z
They scan the entire C-class (that I am aware of, we do not have any
contiguous 203.x blocks; they may well be scanning the /8) at five second
intervals.
I'm yet to see them on our 202. block.

Jun 11 04:10:29 4554: router1 2w5d: %SEC-6-IPACCESSLOGP: list 102 denied tcp
210.183.62.105(2915) -> 203.30.z.131(12345), 1 packet
Jun 11 04:10:34 4555: router1 2w5d: %SEC-6-IPACCESSLOGP: list 102 denied tcp
210.183.62.105(2916) -> 203.30.z.132(12345), 1 packet
Jun 11 04:10:39 4556: router1 2w5d: %SEC-6-IPACCESSLOGP: list 102 denied tcp
210.183.62.105(2917) -> 203.30.z.133(12345), 1 packet
Jun 11 04:10:44 4557: router1 2w5d: %SEC-6-IPACCESSLOGP: list 102 denied tcp
210.183.62.105(2918) -> 203.30.z.134(12345), 1 packet

209.253.144.78 (OSHKB103-30.splitrock.net)
Jun 11 05:52:48 862: router2 5w5d: %SEC-6-IPACCESSLOGP: list 100 denied tcp
209.253.144.78(1749) -> 203.23.y.43(12345), 1 packet
Jun 11 05:52:53 863: router2 5w5d: %SEC-6-IPACCESSLOGP: list 100 denied tcp
209.253.144.78(1750) -> 203.23.y.44(12345), 1 packet
Jun 11 05:52:58 864: router2 5w5d: %SEC-6-IPACCESSLOGP: list 100 denied tcp
209.253.144.78(1751) -> 203.23.y.45(12345), 1 packet
Jun 11 05:53:03 865: router2 5w5d: %SEC-6-IPACCESSLOGP: list 100 denied tcp
209.253.144.78(1752) -> 203.23.y.46(12345), 1 packet

Jun 11 14:48:10 4916: router3 2w6d: %SEC-6-IPACCESSLOGP: list 102 denied tcp
211.51.191.93(3045) -> 203.34.x.66(12345), 1 packet
Jun 11 14:48:15 4917: router3 2w6d: %SEC-6-IPACCESSLOGP: list 102 denied tcp
211.51.191.93(3046) -> 203.34.x.67(12345), 1 packet
Jun 11 14:48:20 4918: router3 2w6d: %SEC-6-IPACCESSLOGP: list 102 denied tcp
211.51.191.93(3047) -> 203.34.x.68(12345), 1 packet
Jun 11 14:48:25 4919: router3 2w6d: %SEC-6-IPACCESSLOGP: list 102 denied tcp
211.51.191.93(3048) -> 203.34.x.69(12345), 1 packet

Also full network netbios scanning, but at greater intervals
Similar scans have also come from 208.128.46.11 (11-ppp1-CC.trip.net)

Jun 12 09:25:52 59098: router4 10w1d: %SEC-6-IPACCESSLOGP: list foo-list-in
denied udp 209.103.218.155(137) -> 203.38.n.34(137), 2 packets
Jun 12 09:26:08 59099: router4 10w1d: %SEC-6-IPACCESSLOGP: list foo-list-in
denied udp 209.103.218.155(137) -> 203.38.n.35(137), 2 packets
Jun 12 09:26:16 59100: router4 10w1d: %SEC-6-IPACCESSLOGP: list foo-list-in
denied udp 209.103.218.155(137) -> 203.38.n.36(137), 2 packets
Jun 12 09:26:25 59101: router4 10w1d: %SEC-6-IPACCESSLOGP: list foo-list-in
denied udp 209.103.218.155(137) -> 203.38.n.37(137), 2 packets

Cheers
__________________________________________________
Luke Dudney
Systems Administration
WestNet - WA's Statewide Internet Provider
Phone: 9218 2600 - Fax: 9218 2666
http://www.wn.com.au
__________________________________________________
Previous By Date Next
Previous By Thread Next

Current thread: