RE: Detected NMAP scan

[Lamont Granquist <lamontg () raven genome washington edu>]

On Wed, 6 Jan 1999, Frank W. Keeney wrote:
> I get scanned at least ten times a week!
>
> With the 1.x versions of nmap, Linux ipfwadm successfully logged all
> stealth scans in my lab.

Yup, but one stealth scan looks an awful lot like another.  I posted this
because it had the signature port 80 ACK sweep in conjunction with an ICMP
ping scan which only nmap 2 does...
 
>       ----------
>       From:  Lamont Granquist
> [SMTP:lamontg () raven genome washington edu]
>       Sent:  Wednesday, January 06, 1999 12:40 PM
>       To:  nmap-hackers () insecure org
>       Subject:  Detected NMAP scan
>
>
>       So, on Jan 3rd a machine that I admin got scanned, and with the
> ipfw.c
>       hack that I posted previously, I recorded the following packets,
>       suggesting that it was someone with nmap2.  I thought I'd post
> it here as
>       a sighting of nmap "in the wild":
>
>       Jan  3 04:16:14 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP
> 148.81.145.199:62233 192.168.0.1:80
>       Jan  3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8
> 148.81.145.199 192.168.0.1
>       Jan  3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8
> 148.81.145.199 192.168.0.1
>       Jan  3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 ICMP/8
> 148.81.145.199 192.168.0.1
>       Jan  3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP
> 148.81.145.199:62234 192.168.0.1:80
>       Jan  3 04:16:15 6A:192.168.0.1 kernel: IP fw-in deny eth0 TCP
> 148.81.145.199:62235 192.168.0.1:80
>
>       I've also identified people doing SYN scans of port 635 which is
> where
>       mountd often/normally resides on a linux system.
>       

-- 
Lamont Granquist                       lamontg () raven genome washington edu
Dept. of Molecular Biotechnology       (206)616-5735  fax: (206)685-7344
Box 352145 / University of Washington / Seattle, WA 98195
PGP pubkey: finger lamontg () raven genome washington edu | pgp -fka