Snort mailing list archives

Web servers scanning clients!!!

From: Farzin <farzing () yahoo com>
Date: Thu, 26 Dec 2002 16:15:31 -0800 (PST)

Hi All,

Looking at my snort logs, I see that when a user
access some sites such as
http://www.nationalenquirer.com (38.144.52.102), the
server turns around and scan about 21 ports on the
client. Does anyone know why this is? below is the
log:

[**] [117:1:1] (spp_portscan2) Portscan detected from
38.144.52.102: 1 targets 21 ports in 2 seconds [**]
12/26-14:31:33.546312 38.144.52.102:80 -> MY.IP:34189
TCP TTL:236 TOS:0x0 ID:5084 IpLen:20 DgmLen:64 DF
***A**S* Seq: 0x4613D2D4  Ack: 0xF07A44E3  Win: 0x2798
 TcpLen: 44
TCP Options (9) => NOP NOP TS: 1229213631 743607218
NOP WS: 0 
TCP Options => NOP NOP SackOK MSS: 1460 

[**] [117:1:1] (spp_portscan2) Portscan detected from
38.144.52.102: 1 targets 21 ports in 2 seconds [**]
12/26-14:31:59.919274 38.144.52.102:80 -> MY.IP:34227
TCP TTL:236 TOS:0x0 ID:5279 IpLen:20 DgmLen:64 DF
***A**S* Seq: 0x49DDC83A  Ack: 0xF12A7099  Win: 0x2798
 TcpLen: 44
TCP Options (9) => NOP NOP TS: 1229216268 743609855
NOP WS: 0 
TCP Options => NOP NOP SackOK MSS: 1460 


TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34189 tgts: 1 ports: 21 flags: ***A**S* event_id: 0
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34191 tgts: 1 ports: 22 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34192 tgts: 1 ports: 23 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34193 tgts: 1 ports: 24 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34194 tgts: 1 ports: 25 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34195 tgts: 1 ports: 26 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34196 tgts: 1 ports: 27 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34197 tgts: 1 ports: 28 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34198 tgts: 1 ports: 29 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34199 tgts: 1 ports: 30 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34200 tgts: 1 ports: 31 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34201 tgts: 1 ports: 32 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34202 tgts: 1 ports: 33 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34203 tgts: 1 ports: 34 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34204 tgts: 1 ports: 35 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34205 tgts: 1 ports: 36 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34206 tgts: 1 ports: 37 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34207 tgts: 1 ports: 38 flags: ***A**S* event_id: 204
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34227 tgts: 1 ports: 21 flags: ***A**S* event_id: 0
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34228 tgts: 1 ports: 22 flags: ***A**S* event_id: 213
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34229 tgts: 1 ports: 23 flags: ***A**S* event_id: 213
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34230 tgts: 1 ports: 24 flags: ***A**S* event_id: 213
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34231 tgts: 1 ports: 25 flags: ***A**S* event_id: 213
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34232 tgts: 1 ports: 26 flags: ***A**S* event_id: 213
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34233 tgts: 1 ports: 27 flags: ***A**S* event_id: 213
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34235 tgts: 1 ports: 28 flags: ***A**S* event_id: 213
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34236 tgts: 1 ports: 29 flags: ***A**S* event_id: 213
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34237 tgts: 1 ports: 30 flags: ***A**S* event_id: 213
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34238 tgts: 1 ports: 31 flags: ***A**S* event_id: 213
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34239 tgts: 1 ports: 32 flags: ***A**S* event_id: 213
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34240 tgts: 1 ports: 33 flags: ***A**S* event_id: 213
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34241 tgts: 1 ports: 34 flags: ***A**S* event_id: 213
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34242 tgts: 1 ports: 35 flags: ***A**S* event_id: 213
TCP src: 38.144.52.102 dst: my.ip. sport: 80 dport:
34243 tgts: 1 ports: 36 flags: ***A**S* event_id: 213

Thanks in advance,


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

Web servers scanning clients!!! Farzin (Dec 26)
- Re: Web servers scanning clients!!! Matt Kettler (Dec 26)
  - Re: Web servers scanning clients!!! Jason (Dec 26)
    - Re: Web servers scanning clients!!! Matt Kettler (Dec 26)
    - Re: Web servers scanning clients!!! Jason (Dec 26)
    - Re: Web servers scanning clients!!! Matt Kettler (Dec 26)
- Re: Web servers scanning clients!!! Alberto Gonzalez (Dec 26)
  - Re: Web servers scanning clients!!! Alberto Gonzalez (Dec 26)