Security Incidents mailing list archives
Re: Port 111 Scans (odd single IP# probes too)
From: Scott Nursten <scottn () INFRONT CO UK>
Date: Thu, 15 Mar 2001 10:11:45 +0000
Hi, Here is a list of the IP's that have done repeated (ie more than 1) rpc scans on our networks: Abuse / Tech contacts have been informed. Quite a few from the .kr region with no response / usual response. ------snip------ 12.15.227.100 24.132.193.229 24.163.248.193 61.153.19.82 63.204.227.226 63.249.17.7 150.254.221.130 202.102.148.84 203.193.4.18 205.162.249.251 208.34.184.4 208.57.254.123 208.63.151.29 210.117.152.82 210.209.17.39 210.223.59.252 210.99.196.1 210.99.2.129 211.178.91.110 211.182.102.130 211.218.202.110 211.250.170.1 211.63.158.120 212.123.30.196 212.140.143.98 212.187.228.216 213.213.93.162 216.123.160.11 216.191.3.4 216.72.211.4 -----snip------ Rgds, Scott Nursten Bryan Andersen wrote:
Chris Schuler wrote:anyone else seeing port 111/rpc scans from this ip? 211.185.160.193 Ive seen at least two walks of my ip address space by this host. Mar 13 09:45:08 211.185.160.193:4671 -> xxx.xxx.xxx.xxx:111 SYN ******S* Mar 13 09:45:08 211.185.160.193:4670 -> xxx.xxx.xxx.xxx:111 SYN ******S* Mar 13 09:45:08 211.185.160.193:4672 -> xxx.xxx.xxx.xxx:111 SYN ******S* ...No, but I have from a bunch of other IP#s. It seams like a lot of them lately. This is just from Mar 5th till now. I also find the number of single *.17 probes interesting. For each of the single probes this was the only activity seen from that */16 net with one exception that had web activity for a different IP# on a different day. Dates and times are US/Central, -500. Output is tcpdump. File tcp.2001-03-05_06:03:39.gz ------------------------ 06:07:24.543582 210.0.140.2.2961 > *.16.111: S 1350150974:1350150974(0) win 32120 <mss 1460,sackOK,timestamp 2439002 0,nop,wscale 0> (DF) 06:07:24.544879 210.0.140.2.2962 > *.17.111: S 1349617676:1349617676(0) win 32120 <mss 1460,sackOK,timestamp 2439002 0,nop,wscale 0> (DF) 06:07:24.546376 210.0.140.2.2964 > *.19.111: S 1358368956:1358368956(0) win 32120 <mss 1460,sackOK,timestamp 2439002 0,nop,wscale 0> (DF) File tcp.2001-03-05_16:00:01.gz ------------------------ 16:50:20.063618 57.66.15.3.2451 > *.17.111: S 692114147:692114147(0) win 32120 <mss 1460,sackOK,timestamp 65274700 0,nop,wscale 0> (DF) File tcp.2001-03-05_20:00:01.gz ------------------------ 20:56:08.357111 138.100.124.208.1527 > *.16.111: S 3604836085:3604836085(0) win 32120 <mss 1460,sackOK,timestamp 4950704 0,nop,wscale 0> (DF) 20:56:08.602220 138.100.124.208.1528 > *.17.111: S 3605504737:3605504737(0) win 32120 <mss 1460,sackOK,timestamp 4950704 0,nop,wscale 0> (DF) 20:56:08.609674 138.100.124.208.1530 > *.19.111: S 3605790791:3605790791(0) win 32120 <mss 1460,sackOK,timestamp 4950704 0,nop,wscale 0> (DF) 20:56:11.183019 138.100.124.208.1528 > *.17.111: S 3605504737:3605504737(0) win 32120 <mss 1460,sackOK,timestamp 4951004 0,nop,wscale 0> (DF) 20:56:11.184461 138.100.124.208.1530 > *.19.111: S 3605790791:3605790791(0) win 32120 <mss 1460,sackOK,timestamp 4951004 0,nop,wscale 0> (DF) 20:56:11.185647 138.100.124.208.1527 > *.16.111: S 3604836085:3604836085(0) win 32120 <mss 1460,sackOK,timestamp 4951004 0,nop,wscale 0> (DF) File tcp.2001-03-06_11:00:01.gz ------------------------ 11:52:17.543331 211.20.96.109.765 > *.16.111: S 2745833423:2745833423(0) win 16060 <mss 1460,sackOK,timestamp 73530420 0,nop,wscale 0> (DF) 11:52:17.559887 211.20.96.109.766 > *.17.111: S 2751743162:2751743162(0) win 16060 <mss 1460,sackOK,timestamp 73530423 0,nop,wscale 0> (DF) 11:52:17.587212 211.20.96.109.768 > *.19.111: S 2739880437:2739880437(0) win 16060 <mss 1460,sackOK,timestamp 73530428 0,nop,wscale 0> (DF) 11:52:20.438161 211.20.96.109.765 > *.16.111: S 2745833423:2745833423(0) win 16060 <mss 1460,sackOK,timestamp 73530720 0,nop,wscale 0> (DF) 11:52:20.448115 211.20.96.109.766 > *.17.111: S 2751743162:2751743162(0) win 16060 <mss 1460,sackOK,timestamp 73530723 0,nop,wscale 0> (DF) 11:52:20.515802 211.20.96.109.768 > *.19.111: S 2739880437:2739880437(0) win 16060 <mss 1460,sackOK,timestamp 73530728 0,nop,wscale 0> (DF) File tcp.2001-03-06_18:00:20.gz ------------------------ 18:12:51.287612 63.237.170.8.4001 > *.17.111: S 345196125:345196125(0) win 32120 <mss 1460,sackOK,timestamp 8516589 0,nop,wscale 0> (DF) File tcp.2001-03-06_20:00:47.gz ------------------------ 20:21:29.548384 4.33.199.246.2413 > *.16.111: S 4257382697:4257382697(0) win 32120 <mss 1460,sackOK,timestamp 52197010 0,nop,wscale 0> (DF) File tcp.2001-03-06_22:00:16.gz ------------------------ 22:09:15.144595 24.27.244.122.2415 > *.16.111: S 2142110321:2142110321(0) win 32120 <mss 1460,sackOK,timestamp 3231310 0,nop,wscale 0> (DF) 22:09:15.145898 24.27.244.122.2416 > *.17.111: S 2147217323:2147217323(0) win 32120 <mss 1460,sackOK,timestamp 3231310 0,nop,wscale 0> (DF) 22:09:15.147396 24.27.244.122.2418 > *.19.111: S 2153850690:2153850690(0) win 32120 <mss 1460,sackOK,timestamp 3231310 0,nop,wscale 0> (DF) 22:09:17.896265 24.27.244.122.2415 > *.16.111: S 2142110321:2142110321(0) win 32120 <mss 1460,sackOK,timestamp 3231610 0,nop,wscale 0> (DF) 22:09:17.897609 24.27.244.122.2416 > *.17.111: S 2147217323:2147217323(0) win 32120 <mss 1460,sackOK,timestamp 3231610 0,nop,wscale 0> (DF) 22:09:17.900415 24.27.244.122.2418 > *.19.111: S 2153850690:2153850690(0) win 32120 <mss 1460,sackOK,timestamp 3231610 0,nop,wscale 0> (DF) 22:09:23.768779 24.27.244.122.2415 > *.16.111: S 2142110321:2142110321(0) win 32120 <mss 1460,sackOK,timestamp 3232210 0,nop,wscale 0> (DF) 22:09:23.770119 24.27.244.122.2416 > *.17.111: S 2147217323:2147217323(0) win 32120 <mss 1460,sackOK,timestamp 3232210 0,nop,wscale 0> (DF) 22:09:23.805347 24.27.244.122.2418 > *.19.111: S 2153850690:2153850690(0) win 32120 <mss 1460,sackOK,timestamp 3232210 0,nop,wscale 0> (DF) File tcp.2001-03-07_14:01:15.gz ------------------------ 14:51:47.682161 211.174.179.233.2617 > *.16.111: S 1286938356:1286938356(0) win 32120 <mss 1460,sackOK,timestamp 144922346 0,nop,wscale 0> (DF) 14:51:47.683475 211.174.179.233.2618 > *.17.111: S 1279339279:1279339279(0) win 32120 <mss 1460,sackOK,timestamp 144922346 0,nop,wscale 0> (DF) 14:51:47.686269 211.174.179.233.2620 > *.19.111: S 1273981360:1273981360(0) win 32120 <mss 1460,sackOK,timestamp 144922346 0,nop,wscale 0> (DF) File tcp.2001-03-08_03:00:03.gz ------------------------ 03:18:17.650659 216.40.82.34.4008 > *.17.111: S 3244583708:3244583708(0) win 32120 <mss 1460,sackOK,timestamp 23510927 0,nop,wscale 0> (DF) 03:18:17.652150 216.40.82.34.4010 > *.19.111: S 3236756659:3236756659(0) win 32120 <mss 1460,sackOK,timestamp 23510927 0,nop,wscale 0> (DF) 03:18:19.562250 216.40.82.34.3814 > *.16.111: S 3237532592:3237532592(0) win 32120 <mss 1460,sackOK,timestamp 23511117 0,nop,wscale 0> (DF) 03:18:20.670759 216.40.82.34.4008 > *.17.111: S 3244583708:3244583708(0) win 32120 <mss 1460,sackOK,timestamp 23511227 0,nop,wscale 0> (DF) 03:18:20.672179 216.40.82.34.4010 > *.19.111: S 3236756659:3236756659(0) win 32120 <mss 1460,sackOK,timestamp 23511227 0,nop,wscale 0> (DF) File tcp.2001-03-08_08:03:01.gz ------------------------ 08:32:51.419847 210.12.143.7.4888 > *.17.111: S 119650412:119650412(0) win 32120 <mss 1460,sackOK,timestamp 10697278 0,nop,wscale 0> (DF) File tcp.2001-03-09_22:00:02.gz ------------------------ 22:39:17.163349 211.217.137.225.3625 > *.17.111: S 3388248271:3388248271(0) win 32120 <mss 1460,sackOK,timestamp 64704099 0,nop,wscale 0> (DF) File tcp.2001-03-10_10:00:03.gz ------------------------ 10:41:19.579963 202.69.83.4.4745 > *.17.111: S 3653009893:3653009893(0) win 32120 <mss 1460,sackOK,timestamp 20633334 0,nop,wscale 0> (DF) 10:41:19.581437 202.69.83.4.4752 > *.19.111: S 3650648111:3650648111(0) win 32120 <mss 1460,sackOK,timestamp 20633334 0,nop,wscale 0> (DF) 10:41:19.583899 202.69.83.4.4744 > *.16.111: S 3661270159:3661270159(0) win 32120 <mss 1460,sackOK,timestamp 20633334 0,nop,wscale 0> (DF) 10:44:02.168577 208.59.211.26.1424 > *.16.111: S 2302414493:2302414493(0) win 32120 <mss 1460,sackOK,timestamp 7871503 0,nop,wscale 0> (DF) 10:44:02.171259 208.59.211.26.1425 > *.17.111: S 2310082611:2310082611(0) win 32120 <mss 1460,sackOK,timestamp 7871503 0,nop,wscale 0> (DF) 10:44:02.172700 208.59.211.26.1427 > *.19.111: S 2300000484:2300000484(0) win 32120 <mss 1460,sackOK,timestamp 7871503 0,nop,wscale 0> (DF) 10:44:05.162774 208.59.211.26.1424 > *.16.111: S 2302414493:2302414493(0) win 32120 <mss 1460,sackOK,timestamp 7871803 0,nop,wscale 0> (DF) 10:44:05.165449 208.59.211.26.1425 > *.17.111: S 2310082611:2310082611(0) win 32120 <mss 1460,sackOK,timestamp 7871803 0,nop,wscale 0> (DF) 10:44:05.166922 208.59.211.26.1427 > *.19.111: S 2300000484:2300000484(0) win 32120 <mss 1460,sackOK,timestamp 7871803 0,nop,wscale 0> (DF) File tcp.2001-03-10_16:00:04.gz ------------------------ 16:07:57.817698 195.153.143.19.3402 > *.19.111: S 1688294726:1688294726(0) win 32120 <mss 1460,sackOK,timestamp 21475244 0,nop,wscale 0> (DF) 16:07:57.827483 195.153.143.19.3400 > *.17.111: S 1696172852:1696172852(0) win 32120 <mss 1460,sackOK,timestamp 21475244 0,nop,wscale 0> (DF) 16:07:57.834149 195.153.143.19.3399 > *.16.111: S 1696129009:1696129009(0) win 32120 <mss 1460,sackOK,timestamp 21475244 0,nop,wscale 0> (DF) File tcp.2001-03-13_09:00:04.gz ------------------------ 09:44:32.709245 129.142.170.149.2051 > *.17.111: S 1252476865:1252476865(0) win 32120 <mss 1460,sackOK,timestamp 6967404 0,nop,wscale 0> (DF) File tcp.2001-03-13_16:00:40.gz ------------------------ 16:24:57.727282 216.29.28.46.3339 > *.17.111: S 3529363346:3529363346(0) win 32120 <mss 1460,sackOK,timestamp 115469605 0,nop,wscale 0> (DF) File tcp.2001-03-13_18:00:51.gz ------------------------ 18:25:42.561471 210.178.22.129.3353 > *.16.111: S 1232149209:1232149209(0) win 32120 <mss 1460,sackOK,timestamp 51103188 0,nop,wscale 0> (DF) 18:25:42.564074 210.178.22.129.3354 > *.17.111: S 1236301047:1236301047(0) win 32120 <mss 1460,sackOK,timestamp 51103188 0,nop,wscale 0> (DF) 18:25:42.565577 210.178.22.129.3356 > *.19.111: S 1225194465:1225194465(0) win 32120 <mss 1460,sackOK,timestamp 51103188 0,nop,wscale 0> (DF) 18:25:45.537391 210.178.22.129.3353 > *.16.111: S 1232149209:1232149209(0) win 32120 <mss 1460,sackOK,timestamp 51103488 0,nop,wscale 0> (DF) 18:25:45.538729 210.178.22.129.3354 > *.17.111: S 1236301047:1236301047(0) win 32120 <mss 1460,sackOK,timestamp 51103488 0,nop,wscale 0> (DF) 18:25:45.541507 210.178.22.129.3356 > *.19.111: S 1225194465:1225194465(0) win 32120 <mss 1460,sackOK,timestamp 51103488 0,nop,wscale 0> (DF) -- | Bryan Andersen | bryan () visi com | http://softail.visi.com | | Buzzwords are like annoying little flies that deserve to be swatted. | | -Bryan Andersen |
-- Scott Nursten - Systems Administrator Streets Online Ltd. Business: +44 (0) 1293 402 040 Fax: +44 (0) 1293 402 050 Email: scottn () streetsonline co uk -------------------------------------------------------------- "Facts do not cease to exist because they are ignored." Aldous Huxley --------------------------------------------------------------
Current thread:
- SNMP Scans Crist Clark (Mar 05)
- <Possible follow-ups>
- Re: SNMP Scans H Carvey (Mar 11)
- Re: SNMP Scans Omar Herrera (Mar 12)
- Re: SNMP Scans MadHat (Mar 13)
- Re: SNMP Scans Omar Herrera (Mar 12)
- Re: SNMP Scans Chris Schuler (Mar 13)
- Re: SNMP Scans John Oliver (Mar 14)
- Port 111 Scans (odd single IP# probes too) Bryan Andersen (Mar 14)
- Re: Port 111 Scans (odd single IP# probes too) Scott Nursten (Mar 15)
- Re: Port 111 Scans (odd single IP# probes too) Rob Kouwenberg (Mar 15)
- Re: SNMP Scans John (Mar 14)
- Re: SNMP Scans Eric Kimminau (Mar 14)
- Re: SNMP Scans Golden_Eternity (Mar 15)