Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Unusual volume: UDP:137 probes

From: John Sage <jsage () finchhaven com>
Date: Tue, 1 Oct 2002 12:46:53 -0700
Michael:

On Tue, Oct 01, 2002 at 09:37:18AM -0700, Scott, Michael R. wrote:

Correction/update to my earlier post:
It seems to be scanning random chunks of addresses, not /16's, see below for
a listing of targets probed over a 75 second period.  Notice how it starts
off with incrementing the host of a /24 then jumps to a different /8 and
increments only the first octet.  Yesterday night's NAV signatures detect it
as W32.Opaserv.Worm.  A view of the properties of the file show a C time of
this past Sat night (9/28 19:32 PST), and an M time of 1/1/70.


What is the relationship between the IP this scanning host had, and
the IP blocks it started scanning, or the IP blocks it scanned at all?

Any?


181.5.73.183
181.5.73.184
181.5.73.185
181.5.73.186
181.5.73.187
181.5.73.188
181.5.73.189


<snippage>


- John
-- 
"It's a troll! Run!^H^H^H^H Laugh!"

PGP key:     http://www.finchhaven.com/pages/gpg_pubkey.html
Fingerprint: C493 9F26 05A9 6497 9800  4EF6 5FC8 F23D 35A4 F705

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: