Re: RPC scans

[Jonathan Rickman <jonathan () xcorps net>]

On Tue, 13 Aug 2002, Jonathan Rickman wrote:

> Business is starting to pick up here in my little corner of the net. 111
> has been the favorite target for passing scanners for the last 4 hours now
> and the frequency seems to be increasing. Interestingly enough, most of
> the IP addresses is a dshield repeat offender for RPC scans. Out of 139
> individual hosts, so far all but two have been in China. One was good old
> .kr and another was an Aussie. Am I alone here, or is something
> coordinated/distributed going on?

In reply to my own post...

Grammar check: ...are dshield repeat offenders...

They suddenly stopped at 18:18 EDT. A machine that had passed through the
subnet in numerical order twice already, stopped in mid scan. Either
someone in China caught on to what was going on and took steps to filter
it, or my post struck fear into the heart of the kiddies behind it. :)

Either way works for me...but it'd be nice to think that the kids ph33r
me!

-- 
Jonathan Rickman
X Corps Security
http://www.xcorps.net




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com