Snort mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Portscans from China ?

From: Mike Arrison <arrison () graphcalc com>
Date: Sun, 14 Apr 2002 09:45:26 -0400
China is a known haven for hackers.  Due to their relative infancy of
online connectivity, there are many servers there that have to been
secured.  One of the most common are mail servers that are left as open
relays for spam.  Others are compromised systems controlled by (often
American) foreign hackers, used to mask their origin.

Of course, there has also been a large contingent of actual Chinese
hackers.  There are rumors that the Chinese government actually sponsors
these guys to do a little American recon.  If your organization is
involved in anything high tech, weapons or nuclear related, I would not
be surprised at all to see the Chinese scanning you.

My suggestion: Start logging all packets from Asia, not just alerts.
You can figure out what those IP's are here:
http://www.iana.com/assignments/ipv4-address-space .  Look for entries
for APNIC (Asia Pacific Network Information Center).

But this just my paranoid assessment.  Anyone have any non conspiracy
theory thoughts?

        -Mike Arrison

-----Original Message-----
From: snort-users-admin () lists sourceforge net
[mailto:snort-users-admin () lists sourceforge net] On Behalf Of Tudor
Panaitescu
Sent: Sunday, April 14, 2002 8:36 AM
To: snort-users () lists sourceforge net
Subject: [Snort-users] Portscans from China ?




Hello Everyone,

I am getting daily hundreds of Portscans to port 80 TCP from hosts
residing in
China, some of them are directed only to our web sitesin the DMZ, some
are
targeting the entire DMZ network, trying to scan the hosts one by one.
The
source addresses are not the same from one scan to another, they are
always
different , they don't resolve with reverse lookup and they look like
well
protected systems when trying to connect  to them on different ports (no
scanning in return though...). The portscan.log always shows INVALIDACK
***A*R*F
for these scans The alerts log shows only STEALTH [**]. The apache log
files
show nothing but 408 (request time out) for these connections.

Is anbody else experiencing the same thing ? Does anybody have any idea
what's
this all about ?

TIA,
Tudor




_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users


_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users
Previous By Date Next
Previous By Thread Next

Current thread: