Security Incidents mailing list archives

Re: Scan of ports 100 and 510

From: Sean Brown <srbrown () APPGEO COM>
Date: Mon, 27 Nov 2000 19:00:48 -0500

Len,
I 've got a correlation on this traffic though the src address is
different.  My logs are GMT-5.

Nov 26 19:31:27 <host> kernel: Packet log: bad-if REJECT eth0 PROTO=6
208.196.45.139:510 x.y.z.101:400 L=40 S=0x00 I=2162 F=0x0000 T=245 SYN
(#39)
Nov 26 19:31:30 <host> kernel: Packet log: bad-if REJECT eth0 PROTO=6
208.196.45.139:510 x.y.z.102:400 L=40 S=0x00 I=6261 F=0x0000 T=245 SYN
(#39)
...throughout my subnet.

-Sean

Len Burns wrote:


Hi,

Earlier this evening, I observed the following scan of most of our
class C subnets:
Nov 26 17:45:12 208.185.167.115:510 -> xxx.xxx.xxx.240:100 SYN ******S*
And then 2 hours later:
Nov 26 19:45:11 208.185.167.115:510 -> xxx.xxx.xxx.240:510 SYN ******S*
(Logs in GMT-800)

Researching this a bit all I could find is
newacct  100/tcp   unauthorized use
fcp   510/tcp   FirstClass Protocol

I am not grasping the significance.  Thoughts?

-Len


--
~~~~~~~~~~~~~~~
Sean R. Brown - srbrown () appgeo com
System Administrator   Applied Geographics, Inc.   Boston, MA

Current thread:

Scan of ports 100 and 510 Len Burns (Nov 28)
- Re: Scan of ports 100 and 510 Sean Brown (Nov 29)