Security Incidents mailing list archives
Re: Slow scan
From: brian () CONFLUENCE COM (Brian Battle)
Date: Mon, 22 May 2000 18:04:03 -0400
I've seen similar scans from a korean site searching for pop2 servers: 5/4/2000 2:49:17 AM list 102 denied tcp 210.97.123.3(0) -> xxx.xxx.xxx.111(109), 1 packet 5/4/2000 3:11:01 AM list 102 denied tcp 210.97.123.3(0) -> xxx.xxx.xxx.112(109), 1 packet 5/4/2000 3:32:44 AM list 102 denied tcp 210.97.123.3(0) -> xxx.xxx.xxx.113(109), 1 packet 5/4/2000 3:54:27 AM list 102 denied tcp 210.97.123.3(0) -> xxx.xxx.xxx.114(109), 1 packet 5/4/2000 4:16:10 AM list 102 denied tcp 210.97.123.3(0) -> xxx.xxx.xxx.115(109), 1 packet 5/4/2000 4:37:52 AM list 102 denied tcp 210.97.123.3(0) -> xxx.xxx.xxx.116(109), 1 packet Probably someone searching for an exploitable pop2 server. I investigated a bit, and found a webserver of a korean student of some kind on the scanning machine, but I couldn't translate much of it. Anyway, the link was terribly slow, which was what I assumed was taking the scan so long. However, it's awfully odd that your scan is 20 minutes apart as well. Does anyone know of a pop2 scanner that takes 20 minutes per target? Seems like a waste of time to search for outdated pop2 servers at 20 minutes a scan.... -----Original Message----- From: Jens Hektor [mailto:hektor () RZ RWTH-AACHEN DE] Sent: Monday, May 22, 2000 5:09 AM To: INCIDENTS () SECURITYFOCUS COM Subject: Slow scan Hi, here are the traces of a slow scan which is currently investigating our net. About every 20 Minutes the next adress in a class-C net ist tested, but we see the same method in the whole the class-B net. So my automatic classification based on a 10-minute summary fails to label this a portscan, but the access is noticed anyway ... ** Access ** May 21 21:47:13 - May 21 21:47:13: 204.196.156.4 (borge.desoto.k12.la.us) 1 tries to 137.226.X.2 - 137.226.X.2 (1), Proto: TCP, Ports: pop2 ** Access ** May 21 22:08:55 - May 21 22:08:55: 204.196.156.4 (borge.desoto.k12.la.us) 1 tries to 137.226.X.3 - 137.226.X.3 (1), Proto: TCP, Ports: pop2 and so on and on ... Bye, Jens
Current thread:
- Re: Slow scan Brian Battle (May 22)
- <Possible follow-ups>
- Re: Slow scan Parkin, Miles (May 23)
- Re: Slow scan Lampe, John W. (May 23)
- Re: Slow scan Daniel Roesen (May 24)