Re: slow scans for tcp port 524 and 137

[Jens Hektor <hektor () RZ RWTH-AACHEN DE>]

Hi Russel,

have seen similar probing (only port 524, 137 
is not monitored).

> Over the last week or so I have picked up three
> machines probing for
> udp 137 and tcp 524.  Probes appear to be to 
> random address in our
> address space (some are in use, many not) and 
> occur at random time
> intervals, mean around an hour but with some
> long intervals suggesting
> that the machine was powered off.
>
> All machines are in 130.0.0.0/8 as are we.  

Funny enough: have seen dome probes from
134.0.0.0/8 as we are, but not only.

Some logs:
Cisco #1
Oct 23 20:29:55.984 MEZS: %SEC-6-IPACCESSLOGP:
list 100 denied tcp 134.7.147.30(1099) ->
134.130.x.157(524), 2 packets
Oct 23 20:24:12.269 MEZS: %SEC-6-IPACCESSLOGP:
list 100 denied tcp 134.7.147.30(1099) ->
134.130.x.157(524), 1 packet
cisco#2
Oct 23 14:27:54.296 MEZS: %SEC-6-IPACCESSLOGP:
list 100 denied tcp 134.7.147.30(3612) ->
134.130.y.235(524), 2 packets
Oct 23 14:22:37.932 MEZS: %SEC-6-IPACCESSLOGP:
list 100 denied tcp 134.7.147.30(3612) ->
134.130.y.235(524), 1 packet 
cisco#3
Oct 11 14:08:11.928 MEZS: %SEC-6-IPACCESSLOGP:
list 100 denied tcp 216.227.50.157(2919) ->
134.130.z.178(524), 2 packets
Oct 11 14:02:47.799 MEZS: %SEC-6-IPACCESSLOGP:
list 100 denied tcp 216.227.50.157(2919) ->
134.130.z.178(524), 1 packet

Different system:
Oct 23 11:29:35 - Oct 23 11:29:44: 134.7.147.39
(no DNS entry) 3 tries to 137.226.76.28 -
137.226.x.28 (1), Proto: TCP, Ports: 524
Oct 19 23:53:59 - Oct 19 23:54:08: 158.222.125.222
(no DNS entry) 3 tries to 137.226.76.204 -
137.226.x.204 (1), Proto: TCP, Ports: 524

Bye, Jens