Security Incidents mailing list archives
port 12345 scanning
From: luke.dudney () WN COM AU (Luke Dudney)
Date: Mon, 12 Jun 2000 13:13:29 +0800
Just to let any of you that may believe you're being specifically targeted know.. I'm seeing these all over our 203.x networks, all coming from [209-210].x.y.z They scan the entire C-class (that I am aware of, we do not have any contiguous 203.x blocks; they may well be scanning the /8) at five second intervals. I'm yet to see them on our 202. block. Jun 11 04:10:29 4554: router1 2w5d: %SEC-6-IPACCESSLOGP: list 102 denied tcp 210.183.62.105(2915) -> 203.30.z.131(12345), 1 packet Jun 11 04:10:34 4555: router1 2w5d: %SEC-6-IPACCESSLOGP: list 102 denied tcp 210.183.62.105(2916) -> 203.30.z.132(12345), 1 packet Jun 11 04:10:39 4556: router1 2w5d: %SEC-6-IPACCESSLOGP: list 102 denied tcp 210.183.62.105(2917) -> 203.30.z.133(12345), 1 packet Jun 11 04:10:44 4557: router1 2w5d: %SEC-6-IPACCESSLOGP: list 102 denied tcp 210.183.62.105(2918) -> 203.30.z.134(12345), 1 packet 209.253.144.78 (OSHKB103-30.splitrock.net) Jun 11 05:52:48 862: router2 5w5d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 209.253.144.78(1749) -> 203.23.y.43(12345), 1 packet Jun 11 05:52:53 863: router2 5w5d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 209.253.144.78(1750) -> 203.23.y.44(12345), 1 packet Jun 11 05:52:58 864: router2 5w5d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 209.253.144.78(1751) -> 203.23.y.45(12345), 1 packet Jun 11 05:53:03 865: router2 5w5d: %SEC-6-IPACCESSLOGP: list 100 denied tcp 209.253.144.78(1752) -> 203.23.y.46(12345), 1 packet Jun 11 14:48:10 4916: router3 2w6d: %SEC-6-IPACCESSLOGP: list 102 denied tcp 211.51.191.93(3045) -> 203.34.x.66(12345), 1 packet Jun 11 14:48:15 4917: router3 2w6d: %SEC-6-IPACCESSLOGP: list 102 denied tcp 211.51.191.93(3046) -> 203.34.x.67(12345), 1 packet Jun 11 14:48:20 4918: router3 2w6d: %SEC-6-IPACCESSLOGP: list 102 denied tcp 211.51.191.93(3047) -> 203.34.x.68(12345), 1 packet Jun 11 14:48:25 4919: router3 2w6d: %SEC-6-IPACCESSLOGP: list 102 denied tcp 211.51.191.93(3048) -> 203.34.x.69(12345), 1 packet Also full network netbios scanning, but at greater intervals Similar scans have also come from 208.128.46.11 (11-ppp1-CC.trip.net) Jun 12 09:25:52 59098: router4 10w1d: %SEC-6-IPACCESSLOGP: list foo-list-in denied udp 209.103.218.155(137) -> 203.38.n.34(137), 2 packets Jun 12 09:26:08 59099: router4 10w1d: %SEC-6-IPACCESSLOGP: list foo-list-in denied udp 209.103.218.155(137) -> 203.38.n.35(137), 2 packets Jun 12 09:26:16 59100: router4 10w1d: %SEC-6-IPACCESSLOGP: list foo-list-in denied udp 209.103.218.155(137) -> 203.38.n.36(137), 2 packets Jun 12 09:26:25 59101: router4 10w1d: %SEC-6-IPACCESSLOGP: list foo-list-in denied udp 209.103.218.155(137) -> 203.38.n.37(137), 2 packets Cheers __________________________________________________ Luke Dudney Systems Administration WestNet - WA's Statewide Internet Provider Phone: 9218 2600 - Fax: 9218 2666 http://www.wn.com.au __________________________________________________
Current thread:
- Re: What is this guy doing?, (continued)
- Re: What is this guy doing? Greg A. Woods (Jun 08)
- Port-scans from visited web-sites? Peter Bates (Jun 07)
- Re: Port-scans from visited web-sites? Joe McAlerney (Jun 08)
- Re: Port-scans from visited web-sites? Greg A. Woods (Jun 08)
- Re: Port-scans from visited web-sites? Erich Meier (Jun 10)
- scan log Max Gribov (Jun 11)
- Re: scan log Jason Witty (Jun 12)
- FW-1 log analysis tool Chew Poh Chang (CAPL) (Jun 08)
- Re: FW-1 log analysis tool Lance Spitzner (Jun 10)
- Re: FW-1 log analysis tool Kenneth Ish (Jun 11)
- port 12345 scanning Luke Dudney (Jun 11)
- Protocol 54 M J (Jun 07)
- Re: very strange scan patterns Ejovi Nuwere (Jun 07)
- hacked @home with logs and info.. nmorgowicz () RALCOIND COM (Jun 07)
- Re: hacked @home with logs and info.. Shadow Boxer (Jun 08)
- UDP Port 2078 Dundo (Jun 08)
- New KAK worm distribution out Roy Wilson (Jun 08)
- Re: hacked @home with logs and info.. Randy Mclean (Jun 09)