Security Incidents mailing list archives

Interesting scan

From: Bruce Parkinson <bruce.parkinson () PAVTECH CO NZ>
Date: Tue, 27 Feb 2001 10:20:47 +1300
Hi folks,

I received this scan on my home PC.  I've never seen one like this before -
anyone seen a tool to do this?  Logs are from an OpenBSD/ipfilter combo -
xx.xx.xx.xx is his IP address, yy.yy.yy.yy is my IP address, time is local.
Scan came from a dialup port at another ISP.  Our servers here at work
didn't receive the same scan, suggesting either a targetted scan or a random
class C.

Feb 23 20:29:20 gw ipmon[7532]: 20:29:19.913156 tun0 @0:32 p xx.xx.xx.xx ->
yy.yy.yy.yy PR icmp len 20 16384 icmp 8/0
Feb 23 20:29:22 gw ipmon[7532]: 20:29:21.973737 tun0 @0:34 b
xx.xx.xx.xx,2234 -> yy.yy.yy.yy,8080 PR tcp len 20 48 -S
Feb 23 20:29:23 gw ipmon[7532]: 20:29:22.861788 tun0 @0:34 b
xx.xx.xx.xx,2235 -> yy.yy.yy.yy,80 PR tcp len 20 48 -S
Feb 23 20:29:23 gw ipmon[7532]: 20:29:22.971033 tun0 @0:34 b
xx.xx.xx.xx,2236 -> yy.yy.yy.yy,8000 PR tcp len 20 48 -S
Feb 23 20:29:24 gw ipmon[7532]: 20:29:23.413716 tun0 @0:34 b
xx.xx.xx.xx,2238 -> yy.yy.yy.yy,8888 PR tcp len 20 48 -S
Feb 23 20:29:24 gw ipmon[7532]: 20:29:23.459050 tun0 @0:34 b
xx.xx.xx.xx,2239 -> yy.yy.yy.yy,10080 PR tcp len 20 48 -S
Feb 23 20:29:24 gw ipmon[7532]: 20:29:23.482886 tun0 @0:34 b
xx.xx.xx.xx,2240 -> yy.yy.yy.yy,81 PR tcp len 20 48 -S
Feb 23 20:29:24 gw ipmon[7532]: 20:29:23.487500 tun0 @0:34 b
xx.xx.xx.xx,2241 -> yy.yy.yy.yy,3128 PR tcp len 20 48 -S
Feb 23 20:29:24 gw ipmon[7532]: 20:29:23.610026 tun0 @0:34 b
xx.xx.xx.xx,2243 -> yy.yy.yy.yy,23 PR tcp len 20 48 -S
Feb 23 20:29:24 gw ipmon[7532]: 20:29:23.620811 tun0 @0:34 b
xx.xx.xx.xx,2242 -> yy.yy.yy.yy,1080 PR tcp len 20 48 -S
Feb 23 20:29:24 gw ipmon[7532]: 20:29:23.634191 tun0 @0:34 b
xx.xx.xx.xx,2244 -> yy.yy.yy.yy,21 PR tcp len 20 48 -S
Feb 23 20:29:25 gw ipmon[7532]: 20:29:24.997069 tun0 @0:34 b
xx.xx.xx.xx,2234 -> yy.yy.yy.yy,8080 PR tcp len 20 48 -S
Feb 23 20:29:26 gw ipmon[7532]: 20:29:25.831763 tun0 @0:34 b
xx.xx.xx.xx,2235 -> yy.yy.yy.yy,80 PR tcp len 20 48 -S
Feb 23 20:29:26 gw ipmon[7532]: 20:29:25.890461 tun0 @0:34 b
xx.xx.xx.xx,2236 -> yy.yy.yy.yy,8000 PR tcp len 20 48 -S
Feb 23 20:29:27 gw ipmon[7532]: 20:29:26.339200 tun0 @0:34 b
xx.xx.xx.xx,2238 -> yy.yy.yy.yy,8888 PR tcp len 20 48 -S
Feb 23 20:29:27 gw ipmon[7532]: 20:29:26.427043 tun0 @0:34 b
xx.xx.xx.xx,2241 -> yy.yy.yy.yy,3128 PR tcp len 20 48 -S
Feb 23 20:29:27 gw ipmon[7532]: 20:29:26.461000 tun0 @0:34 b
xx.xx.xx.xx,2240 -> yy.yy.yy.yy,81 PR tcp len 20 48 -S
Feb 23 20:29:27 gw ipmon[7532]: 20:29:26.474311 tun0 @0:34 b
xx.xx.xx.xx,2239 -> yy.yy.yy.yy,10080 PR tcp len 20 48 -S
Feb 23 20:29:27 gw ipmon[7532]: 20:29:26.540992 tun0 @0:34 b
xx.xx.xx.xx,2243 -> yy.yy.yy.yy,23 PR tcp len 20 48 -S
Feb 23 20:29:27 gw ipmon[7532]: 20:29:26.557039 tun0 @0:34 b
xx.xx.xx.xx,2242 -> yy.yy.yy.yy,1080 PR tcp len 20 48 -S
Feb 23 20:29:27 gw ipmon[7532]: 20:29:26.565064 tun0 @0:34 b
xx.xx.xx.xx,2244 -> yy.yy.yy.yy,21 PR tcp len 20 48 -S
Feb 23 20:29:33 gw ipmon[7532]: 20:29:32.600511 tun0 @0:34 b
xx.xx.xx.xx,2243 -> yy.yy.yy.yy,23 PR tcp len 20 48 -S
Feb 23 20:29:42 gw ipmon[7532]: 20:29:41.440641 tun0 @0:34 b
xx.xx.xx.xx,2246 -> yy.yy.yy.yy,1080 PR tcp len 20 48 -S
Feb 23 20:29:45 gw ipmon[7532]: 20:29:44.480546 tun0 @0:34 b
xx.xx.xx.xx,2246 -> yy.yy.yy.yy,1080 PR tcp len 20 48 -S

Comments welcome.

Thanks,
Bruce

-------------------------------------------------------
Bruce Parkinson           Phone   +64 7 838-2010
Systems Administrator     Fax     +64 7 838-0977
PavTech NZ Ltd &          Mobile  +64 25 545-142
Wave Internet             bruce.parkinson () pavtech co nz
PO Box 935, WMC
Hamilton                  http://www.pavtech.co.nz/
NEW ZEALAND               http://www.wave.co.nz/







NOTICE: The information contained in this electronic mail message and any
attachments is confidential to Pavilion Technologies, Inc. or one of its
subsidiaries and may contain proprietary information or be legally
privileged. This message and any attachments are intended only for the
personal and confidential use of the designated recipient(s). If you are not
the intended recipient or an agent responsible for delivering it to the
intended recipient, you are hereby notified that you have recieved this
message in error, and that any review, dissemination, distribution or
copying of this message and any attachments is unauthorized and strictly
prohibited. If you have received this message in error, please notify me
immediately by telephone and electronic mail, and delete this message, any
attachments, and all copies thereof. Thank you very much
Current thread:

Interesting scan Booth, David CWT-MSP (Feb 19)
- <Possible follow-ups>
- Re: Interesting scan Dave Booth (Feb 20)
- Re: Interesting scan Brian Engle (Feb 20)
- Interesting scan Bruce Parkinson (Feb 27)
  - Re: Interesting scan Daniel Martin (Feb 27)