Re: Slow scan

[brian () CONFLUENCE COM (Brian Battle)]

I've seen similar scans from a korean site searching for pop2 servers:

5/4/2000 2:49:17 AM list 102 denied tcp 210.97.123.3(0) ->
xxx.xxx.xxx.111(109), 1 packet
5/4/2000 3:11:01 AM list 102 denied tcp 210.97.123.3(0) ->
xxx.xxx.xxx.112(109), 1 packet
5/4/2000 3:32:44 AM list 102 denied tcp 210.97.123.3(0) ->
xxx.xxx.xxx.113(109), 1 packet
5/4/2000 3:54:27 AM list 102 denied tcp 210.97.123.3(0) ->
xxx.xxx.xxx.114(109), 1 packet
5/4/2000 4:16:10 AM list 102 denied tcp 210.97.123.3(0) ->
xxx.xxx.xxx.115(109), 1 packet
5/4/2000 4:37:52 AM list 102 denied tcp 210.97.123.3(0) ->
xxx.xxx.xxx.116(109), 1 packet

Probably someone searching for an exploitable pop2 server.
I investigated a bit, and found a webserver of a korean student of some kind
on the scanning machine, but I couldn't translate much of it.  Anyway, the
link was terribly slow, which was what I assumed was taking the scan so
long.  However, it's awfully odd that your scan is 20 minutes apart as well.
Does anyone know of a pop2 scanner that takes 20 minutes per target?  Seems
like a waste of time to search for outdated pop2 servers at 20 minutes a
scan....

-----Original Message-----
From: Jens Hektor [mailto:hektor () RZ RWTH-AACHEN DE]
Sent: Monday, May 22, 2000 5:09 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Slow scan

Hi,

here are the traces of a slow scan which is currently
investigating our net.

About every 20 Minutes the next adress in a class-C
net ist tested, but we see the same method in the whole
the class-B net.

So my automatic classification based on a 10-minute summary
fails to label this a portscan, but the access is noticed
anyway ...

**  Access   ** May 21 21:47:13 - May 21 21:47:13:
204.196.156.4 (borge.desoto.k12.la.us) 1 tries to
137.226.X.2 - 137.226.X.2 (1), Proto: TCP, Ports: pop2
**  Access   ** May 21 22:08:55 - May 21 22:08:55:
204.196.156.4 (borge.desoto.k12.la.us) 1 tries to
137.226.X.3 - 137.226.X.3 (1), Proto: TCP, Ports: pop2

and so on and on ...

Bye, Jens