Security Incidents mailing list archives

Slow scan

From: hektor () RZ RWTH-AACHEN DE (Jens Hektor)
Date: Mon, 22 May 2000 09:09:15 -0000


Hi,

here are the traces of a slow scan which is currently
investigating our net.

About every 20 Minutes the next adress in a class-C
net ist tested, but we see the same method in the whole
the class-B net.

So my automatic classification based on a 10-minute summary
fails to label this a portscan, but the access is noticed 
anyway ...

**  Access   ** May 21 21:47:13 - May 21 21:47:13:
204.196.156.4 (borge.desoto.k12.la.us) 1 tries to
137.226.X.2 - 137.226.X.2 (1), Proto: TCP, Ports: pop2
**  Access   ** May 21 22:08:55 - May 21 22:08:55:
204.196.156.4 (borge.desoto.k12.la.us) 1 tries to
137.226.X.3 - 137.226.X.3 (1), Proto: TCP, Ports: pop2

and so on and on ...

Bye, Jens

Current thread:

udp traffic to port 137 tobias wigand (May 19)
- network.exe -- was -- Re: udp traffic to port 137 Walt (May 20)
- Hmmm... named again. Bugtraq List (May 22)
- Slow scan Jens Hektor (May 22)
  - Re: Slow scan, the rest of the story Jens Hektor (May 24)
- Re: udp traffic to port 137 Robert Saraceno, Jr. (May 22)