Re: [Snort-sigs] Scan on tcp 13000

[Michael Scheidell <scheidell () secnap net>]

> Has anyone else seen any tcp scans with both source and destination ports of
> 13000, SYN flag set, and a sequence ID of 674711609? My sensors are catching
> it as a Shaft synflood because of the sequence ID, but the traffic pattern
> is more like a sweep - single source, 1 packet each to 119 sequential
> destinations. No other traffic from this source, I can't find any info on
> tcp 13000. I'm ready to write it off as a very strange (and singularly
> unproductive) tcp ping sweep, but thought I should check with the
> community-at-large first....

Yep, coming out of columbia.edu.
Called them and sent logs earlier today
(symantec: take note.. we saw it first)

see:
http://www.mynetwatchman.com/LID.asp?IID=22029380
funny ting, on the security section of their web site them mention that
they had their web site defaced and users redurected towards a porn site
yesterday.
I called them up, thinking that they might have staff on duty.. noop,
nothing, all phone lines, help desk, security phones have ' thank you for
calling when we are all home', press 0 for operator, nothing.

What source ip addresses are you seeing?

-- 
Michael Scheidell, CEO
SECNAP Network Security, LLC 
Sales: 866-SECNAPNET / (1-866-732-6276)
Main: 561-368-9561 / www.secnap.net
Looking for a career in Internet security?
http://www.secnap.net/employment/


-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users