Port 17300 scans

["Mark Scott" <mscott () mtgroup com>]

For those tracking the 17300 scans, here are some more data on the 17300
scans. I had several nodes that were quickly scanned and the snort data all
looked the same. Below are the snort alerts from one of my nodes.

Also of interest...... they originated from 3 different IPs (211.199.119.223
[Korea], 61.182.210.111 [China] and 61.182.210.22 [China]) to the very same
nodes on my network. Any significance to the fact that the 3 src IP's are
hitting the same nodes on the network simultaneously?

Regards,

Mark
Mark Scott
Memphis Technology Associates
http://mtgroup.com

=========================================================================


[**] Port 17300 Scan [**]
02/18/03-16:22:29.625943 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800
len:0x3E
211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:19234
IpLen:20 DgmLen:48 DF
******S* Seq: 0x429C8DF  Ack: 0x0  Win: 0x2000  TcpLen: 28
TCP Options (4) => MSS: 1422 NOP NOP SackOK 

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Port 17300 Scan [**]
02/18/03-16:22:29.867155 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800
len:0x3C
211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:19746
IpLen:20 DgmLen:40 DF
***A**** Seq: 0x429C8E0  Ack: 0xF2644EE8  Win: 0x2180  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Port 17300 Scan [**]
02/18/03-16:22:29.868560 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800
len:0x3C
211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:20002
IpLen:20 DgmLen:40 DF
***A**** Seq: 0x429C8E0  Ack: 0xF2644EE8  Win: 0x2180  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Port 17300 Scan [**]
02/18/03-16:22:29.869628 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800
len:0x3C
211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:20258
IpLen:20 DgmLen:40 DF
***A***F Seq: 0x429C8E0  Ack: 0xF2644EE8  Win: 0x2180  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Port 17300 Scan [**]
02/18/03-16:22:32.800830 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800
len:0x3C
211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:24354
IpLen:20 DgmLen:40 DF
***A***F Seq: 0x429C8E0  Ack: 0xF2644EE8  Win: 0x2180  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Port 17300 Scan [**]
02/18/03-16:22:38.804678 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800
len:0x3C
211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:39714
IpLen:20 DgmLen:40 DF
***A***F Seq: 0x429C8E0  Ack: 0xF2644EE8  Win: 0x2180  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Port 17300 Scan [**]
02/18/03-16:22:50.802199 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800
len:0x3C
211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:60194
IpLen:20 DgmLen:40 DF
***A***F Seq: 0x429C8E0  Ack: 0xF2644EE8  Win: 0x2180  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Port 17300 Scan [**]
02/18/03-16:23:14.853085 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800
len:0x3C
211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:55075
IpLen:20 DgmLen:40 DF
***A***F Seq: 0x429C8E0  Ack: 0xF2644EE8  Win: 0x2180  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

[**] Port 17300 Scan [**]
02/18/03-16:24:02.882797 0:C0:7B:A2:DD:CC -> 0:0:F:FF:FF:FF type:0x800
len:0x3C
211.199.119.223:1916 -> 10.10.10.49:17300 TCP TTL:107 TOS:0x0 ID:56101
IpLen:20 DgmLen:40 DF
***A***F Seq: 0x429C8E0  Ack: 0xF2644EE8  Win: 0x2180  TcpLen: 20

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+



-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users