Security Incidents mailing list archives

re: TCP 1025 scanning worm?

From: "Richard Johnson" <rdump () river com>
Date: Thu, 18 Jul 2002 14:07:39 -0600

At 11:36 -0700 on 18/07/2002, H C wrote:

Have you checked your own machine w/ fport?  I've got
ports open in that range on my system right now, but
they're all used by MS processes.



Don't have any windows boxes. ;-)

The ramp up in volume from widely separated source

IPs looks wormy.

How so?  The log extract you provided doesn't show any
data...it looks as if the initial SYN packet was
denied.  This could easily be a port scanner.



Yes, it was clearly a port scan.  The ramp up among divergent source IPs I
saw while I was sitting on 206./16 and later 204./16 networks looked like a
spreading infection.

I've seen little corroboration, though, so I'm concluding whatever was
going on was targeted at a few networks, or had a very poor RNG for seeding
the scan list.  It never made it down to 138./16 or 128./16, as far as I
can tell.


Richard

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

TCP 1025 scanning worm? Richard Johnson (Jul 17)
- <Possible follow-ups>
- RE: TCP 1025 scanning worm? Rob Keown (Jul 17)
- re: TCP 1025 scanning worm? H C (Jul 18)
  - re: TCP 1025 scanning worm? Richard Johnson (Jul 18)
- RE: TCP 1025 scanning worm? George M. Garner Jr. (Jul 19)