Re: [unisog] Re: large scale distributed scan of port tcp 445

[Russell Fulton <r.fulton () auckland ac nz>]

On Fri, 2002-08-09 at 11:53, Muhammad Faisal Rauf Danka wrote:
> Which firewall logs these are? ,Because i'm unable to find the bits
> set, whether it was a TCP Scan of halfopen SYN Scan?
> Since mostly worms would TCP Scan from infected boxes, so if it's
> a SYN Scan, then probably it's an intentional Scan. 
> just wondering..

The scans were detect by my own scan detector which is a perl script and
reads argus records.  The code is distributed with argus
<www.qosient.com>.

The probes were all TCP SYNs.  Only one per target which suggest a half
open scan (we block 445 at the firewall so nothing responded and I can't
be sure if it really was a half open scan).

I doubt very much if this is a worm, my guess is that it is some group
with a group of zombies who want many more...

BTW a few weeks ago I did see some very similar scans but just with
10-20 hosts.  It may be the same group with more resources...

-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand

"It aint necessarily so"  - Gershwin


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com