Security Incidents mailing list archives
Re: Slow scan
From: MJParkin () COLT-TELECOM COM (Parkin, Miles)
Date: Tue, 23 May 2000 09:55:56 +0100
I've seen a lot of slow pop2 scans. Very quiet and hardly seen if you don't go out and look for it. These scans are always about 20 mins apart, and don't always cover a complete C address range. Regards, Miles. -----Original Message----- From: Jens Hektor [mailto:hektor () RZ RWTH-AACHEN DE] Sent: 22 May 2000 10:09 To: INCIDENTS () SECURITYFOCUS COM Subject: Slow scan Hi, here are the traces of a slow scan which is currently investigating our net. About every 20 Minutes the next adress in a class-C net ist tested, but we see the same method in the whole the class-B net. So my automatic classification based on a 10-minute summary fails to label this a portscan, but the access is noticed anyway ... ** Access ** May 21 21:47:13 - May 21 21:47:13: 204.196.156.4 (borge.desoto.k12.la.us) 1 tries to 137.226.X.2 - 137.226.X.2 (1), Proto: TCP, Ports: pop2 ** Access ** May 21 22:08:55 - May 21 22:08:55: 204.196.156.4 (borge.desoto.k12.la.us) 1 tries to 137.226.X.3 - 137.226.X.3 (1), Proto: TCP, Ports: pop2 and so on and on ... Bye, Jens
Current thread:
- Re: Slow scan Brian Battle (May 22)
- <Possible follow-ups>
- Re: Slow scan Parkin, Miles (May 23)
- Re: Slow scan Lampe, John W. (May 23)
- Re: Slow scan Daniel Roesen (May 24)