Security Incidents mailing list archives
re: TCP 1025 scanning worm?
From: "Richard Johnson" <rdump () river com>
Date: Thu, 18 Jul 2002 14:07:39 -0600
At 11:36 -0700 on 18/07/2002, H C wrote:
Have you checked your own machine w/ fport? I've got ports open in that range on my system right now, but they're all used by MS processes.
Don't have any windows boxes. ;-)
The ramp up in volume from widely separated sourceIPs looks wormy. How so? The log extract you provided doesn't show any data...it looks as if the initial SYN packet was denied. This could easily be a port scanner.
Yes, it was clearly a port scan. The ramp up among divergent source IPs I saw while I was sitting on 206./16 and later 204./16 networks looked like a spreading infection. I've seen little corroboration, though, so I'm concluding whatever was going on was targeted at a few networks, or had a very poor RNG for seeding the scan list. It never made it down to 138./16 or 128./16, as far as I can tell. Richard ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- TCP 1025 scanning worm? Richard Johnson (Jul 17)
- <Possible follow-ups>
- RE: TCP 1025 scanning worm? Rob Keown (Jul 17)
- re: TCP 1025 scanning worm? H C (Jul 18)
- re: TCP 1025 scanning worm? Richard Johnson (Jul 18)
- RE: TCP 1025 scanning worm? George M. Garner Jr. (Jul 19)