Security Incidents mailing list archives

Re: Distributed scan (src port 23) of our whole class C network

From: Tom Fischer <Tom.Fischer () RUS UNI-STUTTGART DE>
Date: Wed, 24 Jan 2001 11:29:37 +0100

Hi,

On Tue, Jan 23, 2001 at 11:53:11PM +0100, Ralf G. R. Bergs wrote:

there's currently a distributed scan going on across our whole class C network
(contained in the class B network 131.188.0.0/16.)

The scanning machines send TCP packets with a source port of 23. The source IP
addresses I've seen so far are

  134.53.215.184 (ip134-053-215-184.s215.muohio.edu)
  216.22.151.67 (fortress.omnicon.net)
  209.220.244.18 (w018.z209220244.chi-il.dsl.cnc.net)
  209.240.174.2 (apollo.netwest.com)

Anyone else seen similar things going on?


we are observing these scans with a source port of 23 and various
attacked ports as well. The scans started at Jan 23 04:00 (UTC+0100
(MET)) and end at Jan 24 06:00 (UTC+0100 (MET)) from:

216.22.151.67
134.53.215.184
204.32.32.250
209.220.244.18

The responsible contact persons were informed.

209.240.174.2 does a scan with various source and attacked ports.

--
Tom Fischer                              Tom.Fischer () rus uni-stuttgart de
RUS-CERT Universitaet Stuttgart        Tel:+49 711 685-8076 / -5898 (fax)
Allmandring 30, D-70550 Stuttgart           http://cert.uni-stuttgart.de/
PGP: http://ca.uni-stuttgart.de:11371/pks/lookup?op=get&search=0x62B1DB01

Current thread:

Distributed scan (src port 23) of our whole class C network Ralf G. R. Bergs (Jan 23)
- Re: Distributed scan (src port 23) of our whole class C network Glenn Forbes Fleming Larratt (Jan 23)
  - Re: Distributed scan (src port 23) of our whole class C network Abel Wisman (Jan 24)
- Re: Distributed scan (src port 23) of our whole class C network Tom Fischer (Jan 24)
  - Re: Distributed scan (src port 23) of our whole class C network Ralf G. R. Bergs (Jan 24)
- Re: Distributed scan (src port 23) of our whole class C network Liudvikas Bukys (Jan 24)